I have a few ASAs in region offices, and connected to headquater ASA via IPsec P2P VPNs through internet. VPN is setup on outside interfaces of those ASAs. Now my trouble is to manage those region offices' ASAs from headquater network. I cannot directly connecte to any those remote ASAs, I have to logon a remote switch behine them then logon the remote ASA. My syslog and network management servers are all in headquater network, none of them can talk to remote ASAs, unless I let them do it on public IPs.
How can I manage(snmp, syslog, etc) a remote ASA through the IPsec VPN tunnel setup on its outside interface?
I am thinking add the outside interface public IP into the ACL for VPN Phase 2 crypto map. Will it work?
Cisco Supermen have an idea?
Thanks a lot.
I am by no means any Superman, but i think i can help
You can actually configure all the SSH, SNMP, Syslog using the ASA inside interface, and that would be part of the interesting crypto ACL traffic (assuming that the crypto ACL includes the ASA inside interface subnet).
logging host inside
snmp host inside
Plus, you would also need to configure: management-access inside on all your regional offices ASA.
Hope that helps.
Do you have any icmp rule?
Can you pls share: sh run icmp from the remote ASA.
Also, what version of ASA are you running on the remote end?
Plus, i assume you have added "management-access inside" too?
I have 'icmp permit any inside' on my remote ASAs, but appearently ASA process traffice passing through it differently than taffice generated by itself.
like, I can ping to the remote ASA's inside interface IP from the remote office network which is behind it, but I cannot ping the inside interface IP from headquater network.
I can telnet on the remote ASA on the inside interface IP from the remote office network which is behind it, but I cannot telnet on the inside interface IP from headquater network.
the remote ASA inside interface is in the same subnet as the remote office network.
What version is your ASA, as there is a bug with management access to the ASA through VPN tunnel.
CSCuc58260: ICMP to management-access interface through VPN fails
or matches this bug perfectly: CSCtr16184
Fixed in 8.4.3