ASA Site-to-Site Problem: Using of centralized DHCP, Syslog, TFTP and AAA

Unanswered Question
Jul 11th, 2008


I want to use AAA, Syslog, TFTP and DHCP relay services on a Cisco ASA 5520 (branch office) connected through a VPN IPSec Site-to-Site tunnel

with a Cisco ASA 5520 at our central site. I set up the vpn site-to-site tunnel, as described in the documentation.

The inside interface from the branch office ASA is configured as the management interface:

asa-remote-office(config)# management-access inside

I can connect via ssh/https the inside interface (branch office) through the site-to-site tunnel when I come from the central site network.

No problem and it works!

On the remote site I can ping the DCHP, Syslog, TFTP and Cisco Secure ACS (AAA) servers from the inside interface (source) so the VPN tunnel is up.

Also I permitted all IP traffic through the tunnel for the sake of convenience.

My problem is now: How can I configure the remote ASA to use the AAA, Syslog, TFTP, DHCP relay service at our central site (through the VPN tunnel)?

By the way I don't want to bind this services to the outside interface as described in

The inside interface IP of the ASA should be the source of this traffic!!! Using the outside interface ip would not work functionally because the ASA 5520 on the central side is attached to another ASA 5540 main firewall and I can not route the external outside ip (from the branch office asa) through the ASA 5540 (In case of no site-to-site tunnel can be established between the two ASA 5520).

Does anyone have experience on such constellation?

Is there a configuration example with centralized services (AAA, syslog, tftp, dhcp etc.) through IPSEC site-to site?!?

Thanks in advance!



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Marwan ALshawi Sat, 07/12/2008 - 05:02

first of all

the ouside command u have seen it in the documentation link dose not mean the source of your packet will be the outside interface

it mean that any packet needs to go to the syslog server with spesified ip address shoud go through the outside interface

when you put inside you getting error because your asa dose not have a route throuh the inside interface

so what u need to do

first make a comman for the syslog server as it in the documentation with ur own syslog server private ip

logging host outside (ur syslog ip address)

then make a definetion for ur aaa group with the exact ip address on the central site

and for aaa server use outside interface too

now if u wonderring how this traffic gonna be tunneled

the answer is by useing ACL for interesting traffic

the above config for service to know where to go

and the follwoing for vpn what to encrypt and tunnel

make ACLs in addition to what you have for ur site-to-site vpn

add to the same ACL u use

a permit ACEs permiting traffic from ur private network to the syslog server, aaa and so on

and if u have NAT on ur asa do nat 0 on each asa that has nating to baybass the intersting traffic from being nated

good luck

and let me know if worked

please Rate if helpful


This Discussion