cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
647
Views
0
Helpful
6
Replies
Beginner

manage ASA via VPN on its outside interface

I have a few ASAs in region offices, and connected to headquater ASA via IPsec P2P VPNs through internet.  VPN is setup on outside interfaces of those ASAs.  Now my trouble is to manage those region offices' ASAs from headquater network.  I cannot directly connecte to any those remote ASAs, I have to logon a remote switch behine them then logon the remote ASA.  My syslog and network management servers are all in headquater network, none of them can talk to remote ASAs, unless I let them do it on public IPs.

How can I manage(snmp, syslog, etc) a remote ASA through the IPsec VPN tunnel setup on its outside interface?

I am thinking add the outside interface public IP into the ACL for VPN Phase 2 crypto map.  Will it work?

Cisco Supermen have an idea?

Thanks a lot.

6 REPLIES 6
Highlighted
Cisco Employee

manage ASA via VPN on its outside interface

I am by no means any Superman, but i think i can help

You can actually configure all the SSH, SNMP, Syslog using the ASA inside interface, and that would be part of the interesting crypto ACL traffic (assuming that the crypto ACL includes the ASA inside interface subnet).

Eg:

For SSH:

ssh inside

For Syslog:

logging host inside

For SNMP:

snmp host inside

Plus, you would also need to configure: management-access inside on all your regional offices ASA.

Hope that helps.

Highlighted
Beginner

manage ASA via VPN on its outside interface

ping to the remote ASA's insdie interface private IP from headquater network doesn't work.

Highlighted
Cisco Employee

manage ASA via VPN on its outside interface

Do you have any icmp rule?

Can you pls share: sh run icmp from the remote ASA.

Also, what version of ASA are you running on the remote end?

Plus, i assume you have added "management-access inside" too?

Highlighted
Beginner

manage ASA via VPN on its outside interface

I have 'icmp permit any inside' on my remote ASAs, but appearently ASA process traffice passing through it differently than taffice generated by itself.

like, I can ping to the remote ASA's inside interface IP from  the remote office network which is behind it, but I cannot ping the inside interface IP from headquater network.

I can telnet on the remote ASA on the inside interface IP from the remote office network which is behind it, but I cannot telnet on the inside interface IP from headquater network.

the remote ASA inside interface is in the same subnet as the remote office network.

Highlighted
Cisco Employee

manage ASA via VPN on its outside interface

What version is your ASA, as there is a bug with management access to the ASA through VPN tunnel.

CSCuc58260: ICMP to management-access interface through VPN fails

Highlighted
Cisco Employee

manage ASA via VPN on its outside interface