Recently I created a tunnel for a client between two Cisco ASAs, and they monitor VIA PRTG and make automated backups via Solarwinds. After the tunnel creation, all traffic worked great except traffic (SSH,SNMP,PING) directed to the device’s inside interface. There are a few simple command that fix this. In this entry I will point out those commands and explain why the commands actually fix the issue.
So the above images shows a simple layout of what I have going on. All is working with the VPN, its up and functioning everything is great accept access to the ASA itself from the remote subnet. The ASA in question is 192.168.19.1/24.
There are really two commands here. First:
Management access <Inside interface>
As Cisco States it:
“If your VPN tunnel terminates on one interface, but you want to manage the ASA by accessing a different interface, you can identify that interface as a management-access interface. For example, if you enter the ASA from the outside interface, this feature lets you connect to the inside interface using ASDM, SSH, Telnet, or SNMP; or you can ping the inside interface when entering from the outside interface”.
Awesome, so that allows us to actually use the inside for management when connecting through a different interface (VPN). For me this did not work, still could not access the device from the remote subnet.
The next command that resolved the issue for me had to do with my nat statement. The firmware version of this device is 9.x, so we use object based nat to do our NO-NAT statements.
nat (inside,outside) source static LOCAL-NETWORKS LOCAL-NETWORKS destination static 10.0.0.0/24 10.0.0.0/24 route-lookup
to note, local networks is a group that has my 192.168.19.0/24 subnet in it.
The route-lookup command on top of the NO-NAT resolve the issue. The reason being is that when packets are sent to a destination the device looks for the needed egress interface or in this case the interface specified in our NAT rule which is “outside”. This makes a lot of sense. But, we don’t want to send this traffic out of the WAN interface, we want to send it out of the tunnel. So specifying the command route-lookup tells the firewall to look at the routing table for the entry and then forward the packet accordingly, basically overriding the identity NAT statement interface (interface listed int the NO-NAT). According to Cisco the ASA looked at the routing table by default in older firmwares but to make this more flexible with NAT, now you have to specify the keyword.
That’s it all communication to your ASA should now work.