Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
260
Views
5
Helpful
4
Replies

How to access asacx over L2L VPN

Go to solution
natec
Level 1
Level 1

‎10-08-2014 02:21 PM - edited ‎03-11-2019 09:53 PM

 

I am trying to access the asacx module installed on a remote ASA 5525 over a L2L VPN tunnel. When attempting to access the asacx module I see the following in the ASA logs:   The IP address of the asacx module is 192.168.148.3. The IP address of the management interface on the ASA is 192.168.148.2.

<172>%ASA-4-418001: Through-the-device packet to/from management-only network is denied: tcp src outside:192.168.50.112/58002 dst management:192.168.148.3/443

Is there anyway to get around it this? Is there a possible way to route back to the management network through the router on the other side?

I think if I could delete the connected route for the 192.168.148.0 network I could just route through the inside interface and then back to the management.  How do you all access your asacx's remotely?

Thank you in advance for any help that you can provide.

 

 

 

 

 

 

 

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Vibhor Amrodia
Cisco Employee
Cisco Employee

‎10-08-2014 07:01 PM

Hi,

This is expected as the management interface will never allow any through traffic. You would have to route this traffic through a different interface and probably the Inside interface of the ASA device.

Put a static route to the inside interface for the CX management IP and that should resolve this issue for you.

Check this Doc for more information[Scenario 4]:-

http://www.cisco.com/c/en/us/support/docs/security/ips-sensor-software-version-71/113690-ips-config-mod-00.html

Thanks and Regards,

Vibhor Amrodia

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Vibhor Amrodia
Cisco Employee
Cisco Employee

‎10-08-2014 07:01 PM

Hi,

This is expected as the management interface will never allow any through traffic. You would have to route this traffic through a different interface and probably the Inside interface of the ASA device.

Put a static route to the inside interface for the CX management IP and that should resolve this issue for you.

Check this Doc for more information[Scenario 4]:-

http://www.cisco.com/c/en/us/support/docs/security/ips-sensor-software-version-71/113690-ips-config-mod-00.html

Thanks and Regards,

Vibhor Amrodia

0 Helpful

Go to solution
natec
Level 1
Level 1
In response to Vibhor Amrodia

‎10-09-2014 02:17 PM

Thank you Vibhor and Marvin,

For completeness I will also add that if you have an IP address on the management interface of the ASA you will have to take it off or it will show a connected route which will be weighted lower than the static. Once I put the static in and took the IP address off of the management interface I was able to access the asacx module.

 

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to natec

‎10-09-2014 03:11 PM

You don't need to remove the ASA management IP as the connected routes on that interface are only the /32 of the ASA management address itself and the subnet to which it belongs, be it a /24 or whatever.

Your static route for the CX management should be a /32 route for that address. Thus the longest prefix match will choose that static route despite it belonging to the same subnet as the ASA management interface.

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎10-08-2014 08:44 PM

Vibhor's answer is the correct approach. I have used it successfully myself.

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card