Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1679
Views
0
Helpful
3
Replies

IPSEC Site to Site VPN - NAT Issue with Management Address

Go to solution
IWilson8
Level 1
Level 1

‎09-23-2011 07:29 AM - edited ‎02-21-2020 05:37 PM

Hi All,

I have two Cisco ASA 5505 performing a IPSEC Site to Site VPN. All traffic on the insides of each firewall is going through the VPN tunnel and i have full connectivity. From site A, I can connect to the inside address of the ASA at site B and launch the ASDM or SSH etc.

The problem I have is when I am logged onto the ASA at site B the management traffic is being given the outside address. I have set this up as interesting traffic to get this to go over the VPN but I need it to use the inside address of ASA B. Can any of the following be done:

  • Can I force the ASA at Site B to use the inside interface as it's management address (I have already set the Management Access Interface to inside)
  • Can I NAT the outside interfaces address at Site B prior to passing the managment traffic across the VPN tunnel so it appears to come from the Site B inside address
  • Can I NAT the VPN traffic as it appears at Site A to get the management traffic from Site B onto the correct address.

The problem is that my SCEP requests also come from this address and I need the request to be on an internal address before allowing it though to my CA.

Thanks for any help.

Ian

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to IWilson8

‎09-28-2011 03:21 AM

Thanks, I understand what you are trying to achieve now.

However, I think i don't have a good news for you. Unfortunately the SCEP request can't be initiated from the ASA inside interface, as there is no option to initiate the request from the inside interface. With other management feature like AAA, logging, you have an option to specify which ASA interface you want to originate the request from, but SCEP request does not have that option.

Here is what you can configure under the crypto trustpoint, but unfortunately specifying the interface is not one of the option:

http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/c5.html#wp2262210

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎09-24-2011 04:27 AM

Here is the answer to your question:

  • Can I force the ASA at Site B to use the inside interface as it's  management address (I have already set the Management Access Interface  to inside) - possibly yes, but what exactly are you looking to initiate from the ASA inside interface?
  • Can I NAT the outside interfaces address at Site B  prior to passing the managment traffic across the VPN tunnel so it  appears to come from the Site B inside address - NO
  • Can I NAT the VPN traffic as it appears at Site A to get the management traffic from Site B onto the correct address. - Not quite sure what you mean

If you can pls explain which management traffic you would like to originate from the ASA, and what should be the source and destination IP Address, I might be able to advise further. But just need to understand what you are trying to achieve.

0 Helpful

Go to solution
IWilson8
Level 1
Level 1
In response to Jennifer Halim

‎09-26-2011 01:42 AM

Hi Jennifer

I am trying to initate a SCEP request from Site B ASA over the IPSEC VPN to the Microsoft Cerificate Authortiy on site A. The reason I wanted to try and use the inside address, is that to get to the Certificate Authority server I need to route the traffic though site A's network to the CA. For security reasons outside addresses are not routable over the Site A network so therefore I need to try and either translate the outside address at some point, or use the internal address. If I have created a diagram below in case I am not explaining this well. The goal is to have no 20.0.0.0 or 25.0.0.0 traffic going across site A network..

Thanks for responding

Ian

0 Helpful

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee
In response to IWilson8

‎09-28-2011 03:21 AM

Thanks, I understand what you are trying to achieve now.

However, I think i don't have a good news for you. Unfortunately the SCEP request can't be initiated from the ASA inside interface, as there is no option to initiate the request from the inside interface. With other management feature like AAA, logging, you have an option to specify which ASA interface you want to originate the request from, but SCEP request does not have that option.

Here is what you can configure under the crypto trustpoint, but unfortunately specifying the interface is not one of the option:

http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/c5.html#wp2262210

0 Helpful
Customers Also Viewed These Support Documents