I have a ASA device with a management interface with IP address 192.168.1.1/24
and also on this interface are switches that also have ipaddress on the 192.168.1.x range.
The rules on the firewall say that any traffic comming in to firewall on the 192.168.1.0/24 subnet to ip address 192.168.1.10 should be sent back across a site to site vpn.
now for the switches that are using the ASA 192.168.1.1 as there default gateway this all works fine, however the traffic from the ASA its self fails and is blocked be the policy on the interface. (however the interface only has the default rule (traffic allowed to any less secure interface)
doing a trace traffic from the switch never hit this interface rule, they just get routed to the internet and then hit the VPN.
How is traffic from the firewall its self treated different and how do i insure it goes across the VPN and is not blocked.
If you watch the log I'm guessing the syslog traffic from the ASA is going from the interface that the VPN terminates on.
If you include that interface IP in the encryption domain on both sides of the VPN it should start working.
I will have to check but as far as I am aware it is set up like this
Outside interface = 18.104.22.168
management interface is 192.168.1.1
VPN is between the outside interface and the remote ASA device.
syslogs messages soure interface is set as management interface.
As i say a switch on the same network 192.168.1.10 for example will work fine, so I not sure this is the issue. But i will check this again tomorrow.
I not sure it is, as syslog is explicitly set to send with a source of "management" not outside.
However using the packet trace function in the ASA and putting
192.168.1.1 as the source the packet shows as blocked
setting it as 192.168.1.10 and the packet is allowed
and in the packet trace it shows source as 192.168.1.1 so its deffently sending it from the 192 address and not the external address.