10-08-2014 02:21 PM - edited 03-11-2019 09:53 PM
I am trying to access the asacx module installed on a remote ASA 5525 over a L2L VPN tunnel. When attempting to access the asacx module I see the following in the ASA logs: The IP address of the asacx module is 192.168.148.3. The IP address of the management interface on the ASA is 192.168.148.2.
<172>%ASA-4-418001: Through-the-device packet to/from management-only network is denied: tcp src outside:192.168.50.112/58002 dst management:192.168.148.3/443
Is there anyway to get around it this? Is there a possible way to route back to the management network through the router on the other side?
I think if I could delete the connected route for the 192.168.148.0 network I could just route through the inside interface and then back to the management. How do you all access your asacx's remotely?
Thank you in advance for any help that you can provide.
Solved! Go to Solution.
10-08-2014 07:01 PM
Hi,
This is expected as the management interface will never allow any through traffic. You would have to route this traffic through a different interface and probably the Inside interface of the ASA device.
Put a static route to the inside interface for the CX management IP and that should resolve this issue for you.
Check this Doc for more information[Scenario 4]:-
http://www.cisco.com/c/en/us/support/docs/security/ips-sensor-software-version-71/113690-ips-config-mod-00.html
Thanks and Regards,
Vibhor Amrodia
10-08-2014 07:01 PM
Hi,
This is expected as the management interface will never allow any through traffic. You would have to route this traffic through a different interface and probably the Inside interface of the ASA device.
Put a static route to the inside interface for the CX management IP and that should resolve this issue for you.
Check this Doc for more information[Scenario 4]:-
http://www.cisco.com/c/en/us/support/docs/security/ips-sensor-software-version-71/113690-ips-config-mod-00.html
Thanks and Regards,
Vibhor Amrodia
10-09-2014 02:17 PM
Thank you Vibhor and Marvin,
For completeness I will also add that if you have an IP address on the management interface of the ASA you will have to take it off or it will show a connected route which will be weighted lower than the static. Once I put the static in and took the IP address off of the management interface I was able to access the asacx module.
10-09-2014 03:11 PM
You don't need to remove the ASA management IP as the connected routes on that interface are only the /32 of the ASA management address itself and the subnet to which it belongs, be it a /24 or whatever.
Your static route for the CX management should be a /32 route for that address. Thus the longest prefix match will choose that static route despite it belonging to the same subnet as the ASA management interface.
10-08-2014 08:44 PM
Vibhor's answer is the correct approach. I have used it successfully myself.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide