Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

How to access asacx over L2L VPN

 

I am trying to access the asacx module installed on a remote ASA 5525 over a L2L VPN tunnel. When attempting to access the asacx module I see the following in the ASA logs:   The IP address of the asacx module is 192.168.148.3. The IP address of the management interface on the ASA is 192.168.148.2.

<172>%ASA-4-418001: Through-the-device packet to/from management-only network is denied: tcp src outside:192.168.50.112/58002 dst management:192.168.148.3/443

Is there anyway to get around it this? Is there a possible way to route back to the management network through the router on the other side?

I think if I could delete the connected route for the 192.168.148.0 network I could just route through the inside interface and then back to the management.  How do you all access your asacx's remotely?

Thank you in advance for any help that you can provide.

 

 

 

 

 

 

 

 

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Hi,This is expected as the

Hi,

This is expected as the management interface will never allow any through traffic. You would have to route this traffic through a different interface and probably the Inside interface of the ASA device.

Put a static route to the inside interface for the CX management IP and that should resolve this issue for you.

Check this Doc for more information[Scenario 4]:-

http://www.cisco.com/c/en/us/support/docs/security/ips-sensor-software-version-71/113690-ips-config-mod-00.html

Thanks and Regards,

Vibhor Amrodia

4 REPLIES
Cisco Employee

Hi,This is expected as the

Hi,

This is expected as the management interface will never allow any through traffic. You would have to route this traffic through a different interface and probably the Inside interface of the ASA device.

Put a static route to the inside interface for the CX management IP and that should resolve this issue for you.

Check this Doc for more information[Scenario 4]:-

http://www.cisco.com/c/en/us/support/docs/security/ips-sensor-software-version-71/113690-ips-config-mod-00.html

Thanks and Regards,

Vibhor Amrodia

New Member

Thank you Vibhor and Marvin

Thank you Vibhor and Marvin,

For completeness I will also add that if you have an IP address on the management interface of the ASA you will have to take it off or it will show a connected route which will be weighted lower than the static. Once I put the static in and took the IP address off of the management interface I was able to access the asacx module.

 

Hall of Fame Super Silver

You don't need to remove the

You don't need to remove the ASA management IP as the connected routes on that interface are only the /32 of the ASA management address itself and the subnet to which it belongs, be it a /24 or whatever.

Your static route for the CX management should be a /32 route for that address. Thus the longest prefix match will choose that static route despite it belonging to the same subnet as the ASA management interface.

Hall of Fame Super Silver

Vibhor's answer is the

Vibhor's answer is the correct approach. I have used it successfully myself.

38
Views
5
Helpful
4
Replies
CreatePlease login to create content