Solved

Access to internal interface IP over IPSec

Posted on 2011-03-07
11
1,436 Views
Last Modified: 2012-06-21
Hi Experts!

On my corporate network (192.168.111.0/24) I am running a Cisco ASA 5505 (8.3.1) firewall. I have configured an IPSec tunnel from my home network (192.168.0.0/24) and everything works fine, except one thing:

I can access all the resources on the remote network (192.168.111.0/24) except the internal interface on 192.168.111.1. This means that I cannot configure the ASA through the VPN tunnel which is not a big problem, but would be nice to have solved.

I´m new to the Cisco product so I have probably overlooked something. As I am not familiar with the telnet commands yet, I have configured using the ASDM.

Greatful for any insights on this matter.

Thanks
Lospilotos
0
Comment
Question by:lospilotos
  • 6
  • 5
11 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35055849
Try the command:
management-access inside
0
 

Author Comment

by:lospilotos
ID: 35056141
Thanks for pointing me in the probably right direction, but it did not quite work. You are right in the fact that the explanation of the command you gave in the ASDM is exactly that: To enable configuration via an site-to-site tunnel.

I found the Mangement Acess config though where only the coroprate network was added:

dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.111.0 255.255.255.0 inside

I also added the home network to that now so this is its current state:

dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.111.0 255.255.255.0 inside
http 192.168.0.0 255.255.255.0 inside

Should perhaps the 192.168.0.0 be on the outside instead?
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35056263
Nope, not on the outside. This should do the trick.

Perhaps something is blocked. Did you have a look at the ASA's logs to see if anything is being dropped?
0
 

Author Comment

by:lospilotos
ID: 35056459
Of course, logs are always a good thing:

In this case I try to connect through a browser to the https://192.168.111.1 adress which also works fine when I´m on the internal network, but not through the tunnel. It´s a bit messy, but perhaps you can make something out of it. The IP-address of my machine on the home network is 192.168.0.200

I also found Management Access Rules, just like normal ACLs. Do I have to configure those to? They are set to IP deny at the moment.
___________________________________________________
6|Mar 07 2011|14:36:00|302014|192.168.0.200|62638|192.168.111.1|443|Teardown TCP connection 177402 for outside:192.168.0.200/62638 to identity:192.168.111.1/443 duration 0:00:00 bytes 577 TCP Reset-O
6|Mar 07 2011|14:36:00|725007|192.168.0.200|62638|||SSL session with client inside:192.168.0.200/62638 terminated.
6|Mar 07 2011|14:36:00|725002|192.168.0.200|62638|||Device completed SSL handshake with client inside:192.168.0.200/62638
6|Mar 07 2011|14:36:00|725001|192.168.0.200|62638|||Starting SSL handshake with client inside:192.168.0.200/62638 for TLSv1 session.
6|Mar 07 2011|14:36:00|302013|192.168.0.200|62638|192.168.111.1|443|Built inbound TCP connection 177402 for outside:192.168.0.200/62638 (192.168.0.200/62638) to identity:192.168.111.1/443 (192.168.111.1/443)
6|Mar 07 2011|14:36:00|302014|192.168.0.200|62638|192.168.111.1|443|Teardown TCP connection 177401 for outside:192.168.0.200/62638 to identity:192.168.111.1/443 duration 0:00:00 bytes 0 Flow terminated by TCP Intercept
6|Mar 07 2011|14:36:00|302013|192.168.0.200|62638|192.168.111.1|443|Built inbound TCP connection 177401 for outside:192.168.0.200/62638 (192.168.0.200/62638) to identity:192.168.111.1/443 (192.168.111.1/443)
6|Mar 07 2011|14:36:00|302014|192.168.0.200|62637|192.168.111.1|443|Teardown TCP connection 177400 for outside:192.168.0.200/62637 to identity:192.168.111.1/443 duration 0:00:00 bytes 577 TCP Reset-O
6|Mar 07 2011|14:36:00|725007|192.168.0.200|62637|||SSL session with client inside:192.168.0.200/62637 terminated.
6|Mar 07 2011|14:36:00|725002|192.168.0.200|62637|||Device completed SSL handshake with client inside:192.168.0.200/62637
6|Mar 07 2011|14:36:00|725001|192.168.0.200|62637|||Starting SSL handshake with client inside:192.168.0.200/62637 for TLSv1 session.
6|Mar 07 2011|14:36:00|302013|192.168.0.200|62637|192.168.111.1|443|Built inbound TCP connection 177400 for outside:192.168.0.200/62637 (192.168.0.200/62637) to identity:192.168.111.1/443 (192.168.111.1/443)
6|Mar 07 2011|14:36:00|302014|192.168.0.200|62637|192.168.111.1|443|Teardown TCP connection 177399 for outside:192.168.0.200/62637 to identity:192.168.111.1/443 duration 0:00:00 bytes 0 Flow terminated by TCP Intercept
6|Mar 07 2011|14:36:00|302013|192.168.0.200|62637|192.168.111.1|443|Built inbound TCP connection 177399 for outside:192.168.0.200/62637 (192.168.0.200/62637) to identity:192.168.111.1/443 (192.168.111.1/443)
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 125 total points
ID: 35056489
Darn, too little coffee.....

You were right, it should be:

management-access inside

http server enable
http 192.168.111.0 255.255.255.0 inside
http 192.168.0.0 255.255.255.0 outside

Because the vpn client's ip terminates on the outside interface...........

[off to the coffee machine now]
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:lospilotos
ID: 35056644
Still the same problem... Let me know if you come up with something after that well deserved cup of java.. ;-)
0
 

Author Comment

by:lospilotos
ID: 35056654
Just another piece of info: I can ping the IP-number of the internal interface, but cannot access it using ASDM or HTTPS...
0
 

Author Closing Comment

by:lospilotos
ID: 35056835
It should be on the inside, but I got the whole network mask wrong. So in conclusion, this is the current, working config:

management-access inside

http server enable
http 192.168.111.0 255.255.255.0 inside
http 192.168.0.0 255.255.255.0 inside

Thanks!
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35056838
Could you post a sanitized config of the ASA? I'm getting quite curious now why it isn't working...
0
 

Author Comment

by:lospilotos
ID: 35056849
Cross transmission erniebeek... ;-) Problem solved if you look at my latest comment.

Thanks again!
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35056853
Ok good.

You might wanna get a cup'o'java yourself ;)
0

Featured Post

Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

Join & Write a Comment

This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
Use of TCL script on Cisco devices:  - create file and merge it with running configuration to apply configuration changes
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now