Comprar ou Renovar
Comprar ou Renovar
cancelar
Activar sugestões
A sugestão automática ajuda-o a especificar os resultados de pesquisa sugerindo-lhe correspondências enquanto escreve.
Mostrar resultados para 
Pesquisar em vez de 
Queria dizer: 
cancel
Iniciar uma conversa
1249
Apresentações
0
Útil
6
Respostas

manage ASA via VPN on its outside interface

rhienwei2010
Level 1
Level 1

em ‎10-24-2012 06:54 PM

I have a few ASAs in region offices, and connected to headquater ASA via IPsec P2P VPNs through internet.  VPN is setup on outside interfaces of those ASAs.  Now my trouble is to manage those region offices' ASAs from headquater network.  I cannot directly connecte to any those remote ASAs, I have to logon a remote switch behine them then logon the remote ASA.  My syslog and network management servers are all in headquater network, none of them can talk to remote ASAs, unless I let them do it on public IPs.

How can I manage(snmp, syslog, etc) a remote ASA through the IPsec VPN tunnel setup on its outside interface?

I am thinking add the outside interface public IP into the ACL for VPN Phase 2 crypto map.  Will it work?

Cisco Supermen have an idea?

Thanks a lot.

Rótulos:
  • VPN
0 Útil
6 RESPOSTAS 6

Jennifer Halim
Cisco Employee
Cisco Employee

em ‎10-24-2012 07:09 PM

I am by no means any Superman, but i think i can help

You can actually configure all the SSH, SNMP, Syslog using the ASA inside interface, and that would be part of the interesting crypto ACL traffic (assuming that the crypto ACL includes the ASA inside interface subnet).

Eg:

For SSH:

ssh inside

For Syslog:

logging host inside

For SNMP:

snmp host inside

Plus, you would also need to configure: management-access inside on all your regional offices ASA.

Hope that helps.

0 Útil

rhienwei2010
Level 1
Level 1
Em resposta a Jennifer Halim

em ‎10-24-2012 07:33 PM

ping to the remote ASA's insdie interface private IP from headquater network doesn't work.

0 Útil

Jennifer Halim
Cisco Employee
Cisco Employee
Em resposta a rhienwei2010

em ‎10-24-2012 07:34 PM

Do you have any icmp rule?

Can you pls share: sh run icmp from the remote ASA.

Also, what version of ASA are you running on the remote end?

Plus, i assume you have added "management-access inside" too?

0 Útil

rhienwei2010
Level 1
Level 1
Em resposta a Jennifer Halim

em ‎10-24-2012 08:35 PM

I have 'icmp permit any inside' on my remote ASAs, but appearently ASA process traffice passing through it differently than taffice generated by itself.

like, I can ping to the remote ASA's inside interface IP from  the remote office network which is behind it, but I cannot ping the inside interface IP from headquater network.

I can telnet on the remote ASA on the inside interface IP from the remote office network which is behind it, but I cannot telnet on the inside interface IP from headquater network.

the remote ASA inside interface is in the same subnet as the remote office network.

0 Útil

Jennifer Halim
Cisco Employee
Cisco Employee
Em resposta a rhienwei2010

em ‎10-24-2012 10:50 PM

What version is your ASA, as there is a bug with management access to the ASA through VPN tunnel.

CSCuc58260: ICMP to management-access interface through VPN fails

0 Útil

Jennifer Halim
Cisco Employee
Cisco Employee
Em resposta a Jennifer Halim

em ‎10-24-2012 10:55 PM

or matches this bug perfectly: CSCtr16184

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtr16184

Fixed in 8.4.3

0 Útil
Customers Also Viewed These Support Documents