05-16-2017 02:16 PM - edited 03-12-2019 02:22 AM
I was able to discover the following:
"The adaptive security appliance only responds to ICMP traffic sent to the interface that traffic comes in on; you cannot send ICMP traffic through an interface to a far interface."
My question is this. Does this also apply to Syslog, Netflow, and services other than ICMP?
The topology, to help with describing my question:
Is a site (Site Acme) with a an ASA firewall with three interfaces, named Outside, Inside, and SDWAN.
There is an SD-WAN appliance that connects to the SDWAN interface.
This appliance establishes a VPN tunnel thru Site Acme's firewall to a datacenter which hosts a network management server.
Site Acme's ASA routes all 10.x.x.x/8 traffic to the SD-WAN appliance to get to the network management server.
Traffic from the datacenter can reach site Acme's inside network.
There is no IPsec happening on Site Acme's firewall, only routing traffic out to the internet.
The problem is the network management server cannot ping or poll the ASA's inside interface. The link above perfectly describes why ICMP traffic cannot.
My question, is does that also include SNMP and any other traffic that would try to access the firewall thru its far end inside interface?
I appreciate your answers and attached a diagram to assist with the description. I saw posts about this regarding ICMP and i appreciate that information, so hopefully this will be a good reference for the next guy/gal that comes along having this same problem.
Solved! Go to Solution.
05-17-2017 07:03 AM
AFAIK, this is the same behavior for any management traffic, not just ICMP. SSH telnet etc also behaves the same way from my experience. You will not be able to send any traffic to a far end interface while coming in from another interface. The only exception i know to this is when you coming in from a VPN tunnel. You can then use "management-access" to access the far end interface, but this is restricted to only 1 far end interface.
05-17-2017 07:03 AM
AFAIK, this is the same behavior for any management traffic, not just ICMP. SSH telnet etc also behaves the same way from my experience. You will not be able to send any traffic to a far end interface while coming in from another interface. The only exception i know to this is when you coming in from a VPN tunnel. You can then use "management-access" to access the far end interface, but this is restricted to only 1 far end interface.
05-17-2017 07:52 AM
Thank you very much Rahul! I really appreciate your help!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: