Using an ASA, I'm trying to TFTP to a remote site down a L2L VPN but cant work out how to get self generated packets down the VPN. The VPN is working perfectly for all forwarded traffic, the tftp server works, and the ASA can TFTP to local devices.
It'd be a bit tricky but I believe you could add a /32 static route for the tftp server on the management interface for an inside router/gateway address. That gateway should then know to route to the remote site's netblock using the ASA inside interface and from there is should hit the cryptomap etc. and be IPsec-encapsulated into the VPN.
Otherwise the ASA will just try to send the traffic out the outside interface (thus initiating from the outside IP address) and it will not get encapsulated by IPsec and thus fail.
The above didn't work. I still havnt found a way to get the ASA to treat self generated traffic the same way as forwarded traffic which is a little frustrating but not vital.
I used SCP instead. Here my fix for those with the same issue:
* Type "ssh scopy enable" on each ASA's CLI
* Install 'shhpass' and 'expect' on a Linux box
* Create a shell script that looks like this-
if [ $1 = "Site1FW" ]; then REMOTE_IP=188.8.131.52 fi
if [ $1 = "Site2FW" ]; then REMOTE_IP=184.108.40.206 fi
#runs the expect script which will ssh into the remote ASA, enable scp and create a file called SCPconfbackup /root/path/createbackupfile $REMOTE_IP
#scp into the remote firewall and pull down the config file. Save it in the TFTP folder with a timestamp. sshpass -p 'Changeme' scp Username@$REMOTE_IP:disk0:SCPconfbackup /var/tftp/$1_backup$(date +"%d-%m-%Y")
#log that the script ran echo "$1 autobackup script ran $(date)" >> /var/log/Autobackuplog
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :