09-23-2011 07:29 AM - edited 02-21-2020 05:37 PM
Hi All,
I have two Cisco ASA 5505 performing a IPSEC Site to Site VPN. All traffic on the insides of each firewall is going through the VPN tunnel and i have full connectivity. From site A, I can connect to the inside address of the ASA at site B and launch the ASDM or SSH etc.
The problem I have is when I am logged onto the ASA at site B the management traffic is being given the outside address. I have set this up as interesting traffic to get this to go over the VPN but I need it to use the inside address of ASA B. Can any of the following be done:
The problem is that my SCEP requests also come from this address and I need the request to be on an internal address before allowing it though to my CA.
Thanks for any help.
Ian
Solved! Go to Solution.
09-28-2011 03:21 AM
Thanks, I understand what you are trying to achieve now.
However, I think i don't have a good news for you. Unfortunately the SCEP request can't be initiated from the ASA inside interface, as there is no option to initiate the request from the inside interface. With other management feature like AAA, logging, you have an option to specify which ASA interface you want to originate the request from, but SCEP request does not have that option.
Here is what you can configure under the crypto trustpoint, but unfortunately specifying the interface is not one of the option:
http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/c5.html#wp2262210
09-24-2011 04:27 AM
Here is the answer to your question:
If you can pls explain which management traffic you would like to originate from the ASA, and what should be the source and destination IP Address, I might be able to advise further. But just need to understand what you are trying to achieve.
09-26-2011 01:42 AM
Hi Jennifer
I am trying to initate a SCEP request from Site B ASA over the IPSEC VPN to the Microsoft Cerificate Authortiy on site A. The reason I wanted to try and use the inside address, is that to get to the Certificate Authority server I need to route the traffic though site A's network to the CA. For security reasons outside addresses are not routable over the Site A network so therefore I need to try and either translate the outside address at some point, or use the internal address. If I have created a diagram below in case I am not explaining this well. The goal is to have no 20.0.0.0 or 25.0.0.0 traffic going across site A network..
Thanks for responding
Ian
09-28-2011 03:21 AM
Thanks, I understand what you are trying to achieve now.
However, I think i don't have a good news for you. Unfortunately the SCEP request can't be initiated from the ASA inside interface, as there is no option to initiate the request from the inside interface. With other management feature like AAA, logging, you have an option to specify which ASA interface you want to originate the request from, but SCEP request does not have that option.
Here is what you can configure under the crypto trustpoint, but unfortunately specifying the interface is not one of the option:
http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/c5.html#wp2262210
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide