Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1667
Views
5
Helpful
4
Replies

How can I allow vpn to inside interface of ASA

Michael McGrath
Level 1
Level 1

‎06-13-2018 04:23 PM - edited ‎03-12-2019 05:22 AM

kind of a 2 parter but might be resolved with the same config. 

 

I am trying to configure the IT VPN to be able to ssh into the inside interface of ASA1(site1) and then the second part would be to all this same IT VPN through ASA1 to the 2 site-to-site connected ASA's(site2 and site3) inside interfaces

 

The IT VPN is able to get to everything at site 1 except ASA1 and it cannot get to anything in site2 or site3. 

 

I'm trying different NAT rules and ACLs. when running a packetracer from ASA1 it gets dropped because of an implicit rule, but I have a ACE specifically allowing the ITVPN subnet to the ASA1 interface. 

 

Any guidance would be appreciated 

1 person had this problem
Labels:
0 Helpful
4 Replies 4

Rob Ingram
VIP
VIP

‎06-14-2018 04:12 AM

Hi,

When you say IT VPN are you talking about IT users connecting to a Remote Access VPN? Have you permitted ssh access from VPN Pool on the outside interface in order to manage ASA1?

 

So ASA1 has a site to site VPN to the ASA's as site 1 and 2? Does the encryption domains (the interesting traffic acl) include the VPN Pool for ASA1? Do you have a non-nat rule for this traffic?

 

Posting your configuration and packet tracer output would be be helpful

0 Helpful

Michael McGrath
Level 1
Level 1
In response to Rob Ingram

‎06-14-2018 06:07 AM

Thank you for your response.

 

Yes, IT VPN meaning a specific pool of addresses that IT users get assigned when connecting to the VPN. I have allowed this subnet ssh access from the outside and inside interface
ssh (ITVPN-subnet) 255.255.255.0 INSIDE
ssh (ITVPN-subnet) 255.255.255.0 outside

The IT VPN subnet is in the interesting traffic for the site to site connections between the offices. 

For the no-nat I have this:

nat (INSIDE,outside) 6 source static site1-ITVPN-NETWORK site1-ITVPN-NETWORK destination static site1-ASA-INSIDE-INTERFACE site1-ASA-INSIDE-INTERFACE no-proxy-arp route-lookup

and I've tried (outside,inside) as well. 

I've posted the packet tracer output and censored the IPs. the inside interface is (ASA1 INSIDE INTERFACE) and the IT VPN subnet is (ITVPN-node). A little hesitant on posting my entire ASA config, but I will work on sniping the important information and censoring the IPs

 

Preview file
3 KB
0 Helpful

Rob Ingram
VIP
VIP
In response to Michael McGrath

‎06-14-2018 07:14 AM

Hi, Try entering the command management access inside this allows the ability to manage the ASA on an interface other than the one from which you entered the ASA when using a VPN.

Reference

 

Michael McGrath
Level 1
Level 1
In response to Rob Ingram

‎06-14-2018 07:28 AM - edited ‎06-14-2018 07:29 AM

Excellent response. I wasn't thinking about this because I was already able to ssh the inside interface of the ASA from the internal network. 

 

I am now able to ssh into ASA1 inside interface from the ITVPN subnet. 

0 Helpful
Customers Also Viewed These Support Documents