Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
496
Views
0
Helpful
2
Replies

Self generated packets

elenigroves1
Level 1
Level 1

‎08-05-2013 09:06 AM

Hi,

Using an ASA, I'm trying to TFTP to a remote site down a L2L VPN but cant work out how to get self generated packets down the VPN. The VPN is working perfectly for all forwarded traffic, the tftp server works, and the ASA can TFTP to local devices.

So far I have tried:

Setting "management-access inside"

Setting "tftp-server outside ..."

Thanks in advance,

Eleni

Labels:
0 Helpful
2 Replies 2

Marvin Rhoads
Hall of Fame
Hall of Fame

‎08-05-2013 03:42 PM

It'd be a bit tricky but I believe you could add a /32 static route for the tftp server on the management interface for an inside router/gateway address. That gateway should then know to route to the remote site's netblock using the ASA inside interface and from there is should hit the cryptomap etc. and be IPsec-encapsulated into the VPN.

Otherwise the ASA will just try to send the traffic out the outside interface (thus initiating from the outside IP address) and it will not get encapsulated by IPsec and thus fail.

0 Helpful

elenigroves1
Level 1
Level 1
In response to Marvin Rhoads

‎08-08-2013 07:29 AM

The above didn't work. I still havnt found a way to get the ASA to treat self generated traffic the same way as forwarded traffic which is a little frustrating but not vital.

I used SCP instead. Here my fix for those with the same issue:

* Type "ssh scopy enable" on each ASA's CLI

* Install 'shhpass' and 'expect' on a Linux box

* Create a shell script that looks like this-

#!/bin/bash

if [ $1 = "Site1FW" ]; then
        REMOTE_IP=1.2.3.4
fi

if [ $1 = "Site2FW" ]; then
        REMOTE_IP=5.6.7.8
fi

#runs the expect script which will ssh into the remote ASA, enable scp and create a file called SCPconfbackup
/root/path/createbackupfile $REMOTE_IP

#scp into the remote firewall and pull down the config file. Save it in the TFTP folder with a timestamp.
sshpass -p 'Changeme' scp Username@$REMOTE_IP:disk0:SCPconfbackup /var/tftp/$1_backup$(date +"%d-%m-%Y")

#log that the script ran
echo "$1 autobackup script ran $(date)" >> /var/log/Autobackuplog

* Create another script that looks like this-

#!/usr/bin/expect

set REMOTE_IP [lindex $argv 0]

#log in to the ASA
spawn sshpass -p Changeme ssh Username@$REMOTE_IP

#enable up and copy the running-config to SCPconfbackup
expect ">"
send "enable\n"
expect "Password:"
send "ChangeMe\n"
expect "#"
send "conf t\n"
expect "#"
send "cop running-config disk0:SCPconfbackup\n"
expect "Source filename"
send "\n"
expect "Destination filename"
send "\n"
expect "%Warning:"
send "\n"
expect "#"
send "exit\n"
expect "#"
send "exit\n"

*Run the script with 'cron' eg.

@daily     /path/NameOfScript1 Site1FW

@hourly /path/NameOfScript1 Site2FW

===================================================

This should work for most people assuming SSH already works between the server and ASA. I've already applied it to 3 sites with different ASA models etc with no changes needed.

0 Helpful
Customers Also Viewed These Support Documents