Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1021
Views
0
Helpful
6
Replies

manage ASA via VPN on its outside interface

rhienwei2010
Level 1
Level 1

‎10-24-2012 06:54 PM

I have a few ASAs in region offices, and connected to headquater ASA via IPsec P2P VPNs through internet.  VPN is setup on outside interfaces of those ASAs.  Now my trouble is to manage those region offices' ASAs from headquater network.  I cannot directly connecte to any those remote ASAs, I have to logon a remote switch behine them then logon the remote ASA.  My syslog and network management servers are all in headquater network, none of them can talk to remote ASAs, unless I let them do it on public IPs.

How can I manage(snmp, syslog, etc) a remote ASA through the IPsec VPN tunnel setup on its outside interface?

I am thinking add the outside interface public IP into the ACL for VPN Phase 2 crypto map.  Will it work?

Cisco Supermen have an idea?

Thanks a lot.

Labels:
0 Helpful
6 Replies 6

Jennifer Halim
Cisco Employee
Cisco Employee

‎10-24-2012 07:09 PM

I am by no means any Superman, but i think i can help

You can actually configure all the SSH, SNMP, Syslog using the ASA inside interface, and that would be part of the interesting crypto ACL traffic (assuming that the crypto ACL includes the ASA inside interface subnet).

Eg:

For SSH:

ssh inside

For Syslog:

logging host inside

For SNMP:

snmp host inside

Plus, you would also need to configure: management-access inside on all your regional offices ASA.

Hope that helps.

0 Helpful

rhienwei2010
Level 1
Level 1
In response to Jennifer Halim

‎10-24-2012 07:33 PM

ping to the remote ASA's insdie interface private IP from headquater network doesn't work.

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to rhienwei2010

‎10-24-2012 07:34 PM

Do you have any icmp rule?

Can you pls share: sh run icmp from the remote ASA.

Also, what version of ASA are you running on the remote end?

Plus, i assume you have added "management-access inside" too?

0 Helpful

rhienwei2010
Level 1
Level 1
In response to Jennifer Halim

‎10-24-2012 08:35 PM

I have 'icmp permit any inside' on my remote ASAs, but appearently ASA process traffice passing through it differently than taffice generated by itself.

like, I can ping to the remote ASA's inside interface IP from  the remote office network which is behind it, but I cannot ping the inside interface IP from headquater network.

I can telnet on the remote ASA on the inside interface IP from the remote office network which is behind it, but I cannot telnet on the inside interface IP from headquater network.

the remote ASA inside interface is in the same subnet as the remote office network.

0 Helpful

Jennifer Halim
Cisco Employee
Cisco Employee
In response to rhienwei2010

‎10-24-2012 10:50 PM

What version is your ASA, as there is a bug with management access to the ASA through VPN tunnel.

CSCuc58260: ICMP to management-access interface through VPN fails

0 Helpful
Customers Also Viewed These Support Documents