Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

Traffic to and from ASA Interface

Hello,

I need monitor the SSL VPN service in external interface of ASA5580 with 9.1.2 version from Nagios in the internal network. ¿Is possible to allow traffic to one that comes from another interface interface?.

All my interfaces has security-level 0, no nat-control, the same-security permit intra-interface and inter-interface commands are apply,

Another question. My external interface has private address and i need monitor public ip with SLA for route tracking. ¿Is possible make nat over a public ip when traffic is originated in ASA?.

Regards.

  • Firewalling
Everyone's tags (4)
1 REPLY
Super Bronze

Traffic to and from ASA Interface

Hi,

To my understanding there is no supported way of enabling a host behind one interface from accessing another interface of the ASA which is what you seem to be asking.

I have only found an old document that states this limitation


Note For  security purposes the security appliance does not support far-end  interface ping, that is pinging the IP address of the outside interface  from the inside network.

I guess you would have to somehow make a connection for the network monitoring past the ASA (and natting the source IP address of the monitor server) so the server could reach the external interface while actually connecting to it through that ASAs external interface rather than an internal interface. Naturally this would mean implementing a network setup that might probably be ideal when trying to keep the environment simple.

In the other question I presume you mean is it possible to NAT the actual interface IP address of the ASA? To my understanding this is not possible.

But if your actual firewall is behind another NAT device (as its using private IP address on its external interface) then is there a need to do anything special on this firewall? Wouldnt the device infront of the ASA handle the required NAT for the ASA to be able to monitor remote hosts for the purpose of tracking?

- Jouni

162
Views
0
Helpful
1
Replies
This widget could not be displayed.