Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
267
Views
0
Helpful
3
Replies

How to manage 5506 as Easy-VPN client from headend?

k.jacobsen
Level 1
Level 1

‎08-17-2016 06:43 AM

Hi all,

Having a "funny" experience here with an ASA 5506 as Easy-VPN client towards a 5510 head end.

When the 5506 boots and the tunnel comes up I can ssh and ping the inside interface even though nothing is connected. The interface is down/down. Then I attach a switch on the inside and I can reach the switch. All good. When I plug out the switch, the inside interface goes down/down again. Problem is - I loose my management and ping towards the 5506 and I cant manage it anymore.

My question is:

How do I monitor my 5506 and switch separately (through the VPN tunnel) so that I know if its one or the other that is dead (if the situation should occur)?

Regards

Kenneth

Labels:
0 Helpful
3 Replies 3

mvsheik123
Level 7
Level 7

‎08-17-2016 04:45 PM

Hi Kenneth,

As ASA 5506 is your remote gateway to reach switch (connected behind ASA) , I'm afraid you may not be able to monitor them separately. If ASA is dead, you loose connectivity to both units. However, you can use Out of Band (modem access/console) to dial in and check. This adds additional costs though.

hth

MS

0 Helpful

k.jacobsen
Level 1
Level 1
In response to mvsheik123

‎08-17-2016 10:02 PM

Hi MS,

Yes, I am aware of that. If the ASA dies - then of course I cant reach it, but lets say the switch dies. How can I reach the ASA when it runs an easy-vpn where I might not know the public IP or it could be behind NAT ?

Kenneth 

0 Helpful

mvsheik123
Level 7
Level 7
In response to k.jacobsen

‎08-26-2016 07:53 PM

Hi Kenneth,

1. If ASA got public IP : On the head end ASA (5510), you can see what IP being used to initiate VPN tunnel and in logs you can see session initiation and tear off as well (when logging enabled). You can enable SSH to remote ASA public IP (with restricted access from your head end IPs).

2. Behind NAT: Work with the provider or owner of the gateway (that assingns & NATs IPs at that location) and have them port forward SSH connections from your head end IPs to your ASA pvt IP. Make sure they reserve this private IP for your remote ASA.

hth

MS

0 Helpful
Customers Also Viewed These Support Documents