Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA inside interface not able to reach across IPsec tunnel

Hey everyone,

I have an active tunnel between an ASA and a router.  Both inside networks are able to communicate just fine across the tunnel.  However, I'm running into a problem where the inside interface on the ASA itself is not able to reach the inside network on the opposing side.  This is causing a problem now because I have setup radius configuration on the ASA but it has to reach across the tunnel to the radius server on the other side for authentication.  In fact Is there a mechanism in the ASA that causes this by default? 

Thanks,

Ali

5 REPLIES
Hall of Fame Super Silver

ASA inside interface not able to reach across IPsec tunnel

Yes that can be an issue since the ASA uses its routing table to tell it how to get to the remote network. Since the route is via the outside interface, the ASA will try to use that address and never encapsulate the packets in IPsec.

Silver

ASA inside interface not able to reach across IPsec tunnel

The ASA has an option that is for management access, the command is "management-access" but it is not for authentication, for that you will need to add the interface where the crypto map is applied to the remote IP address of the server and add the aaa-server command with that same interface. If for example you have the tunnel applied to the outside interface of the ASA, this would be the interface (IP address) that you would need to use for the interesting traffic and for the aaa-server command.

Value our effort and rate the assistance!
New Member

Re: ASA inside interface not able to reach across IPsec tunnel

Thanks guys!  Actually the following config solved it:

management-access Inside

And I was able to immediately reach the inside interface from the remote LAN, as well as the ASA reaching across the tunnel for authentication through the remote radius server.

Hall of Fame Super Silver

Re: ASA inside interface not able to reach across IPsec tunnel

Thanks for reminding us the usefulness of that command in this context! +5

Silver

ASA inside interface not able to reach across IPsec tunnel

Please update the ticket as resolved or answered so we can close out followup.

Value our effort and rate the assistance!
165
Views
5
Helpful
5
Replies