lospilotos
asked on
Access to internal interface IP over IPSec
Hi Experts!
On my corporate network (192.168.111.0/24) I am running a Cisco ASA 5505 (8.3.1) firewall. I have configured an IPSec tunnel from my home network (192.168.0.0/24) and everything works fine, except one thing:
I can access all the resources on the remote network (192.168.111.0/24) except the internal interface on 192.168.111.1. This means that I cannot configure the ASA through the VPN tunnel which is not a big problem, but would be nice to have solved.
I´m new to the Cisco product so I have probably overlooked something. As I am not familiar with the telnet commands yet, I have configured using the ASDM.
Greatful for any insights on this matter.
Thanks
Lospilotos
On my corporate network (192.168.111.0/24) I am running a Cisco ASA 5505 (8.3.1) firewall. I have configured an IPSec tunnel from my home network (192.168.0.0/24) and everything works fine, except one thing:
I can access all the resources on the remote network (192.168.111.0/24) except the internal interface on 192.168.111.1. This means that I cannot configure the ASA through the VPN tunnel which is not a big problem, but would be nice to have solved.
I´m new to the Cisco product so I have probably overlooked something. As I am not familiar with the telnet commands yet, I have configured using the ASDM.
Greatful for any insights on this matter.
Thanks
Lospilotos
ASKER
Thanks for pointing me in the probably right direction, but it did not quite work. You are right in the fact that the explanation of the command you gave in the ASDM is exactly that: To enable configuration via an site-to-site tunnel.
I found the Mangement Acess config though where only the coroprate network was added:
dynamic-access-policy-reco
http server enable
http 192.168.111.0 255.255.255.0 inside
I also added the home network to that now so this is its current state:
dynamic-access-policy-reco
http server enable
http 192.168.111.0 255.255.255.0 inside
http 192.168.0.0 255.255.255.0 inside
Should perhaps the 192.168.0.0 be on the outside instead?
I found the Mangement Acess config though where only the coroprate network was added:
dynamic-access-policy-reco
http server enable
http 192.168.111.0 255.255.255.0 inside
I also added the home network to that now so this is its current state:
dynamic-access-policy-reco
http server enable
http 192.168.111.0 255.255.255.0 inside
http 192.168.0.0 255.255.255.0 inside
Should perhaps the 192.168.0.0 be on the outside instead?
Nope, not on the outside. This should do the trick.
Perhaps something is blocked. Did you have a look at the ASA's logs to see if anything is being dropped?
Perhaps something is blocked. Did you have a look at the ASA's logs to see if anything is being dropped?
ASKER
Of course, logs are always a good thing:
In this case I try to connect through a browser to the https://192.168.111.1 adress which also works fine when I´m on the internal network, but not through the tunnel. It´s a bit messy, but perhaps you can make something out of it. The IP-address of my machine on the home network is 192.168.0.200
I also found Management Access Rules, just like normal ACLs. Do I have to configure those to? They are set to IP deny at the moment.
__________________________
6|Mar 07 2011|14:36:00|302014|192.1
6|Mar 07 2011|14:36:00|725007|192.1
6|Mar 07 2011|14:36:00|725002|192.1
6|Mar 07 2011|14:36:00|725001|192.1
6|Mar 07 2011|14:36:00|302013|192.1
6|Mar 07 2011|14:36:00|302014|192.1
6|Mar 07 2011|14:36:00|302013|192.1
6|Mar 07 2011|14:36:00|302014|192.1
6|Mar 07 2011|14:36:00|725007|192.1
6|Mar 07 2011|14:36:00|725002|192.1
6|Mar 07 2011|14:36:00|725001|192.1
6|Mar 07 2011|14:36:00|302013|192.1
6|Mar 07 2011|14:36:00|302014|192.1
6|Mar 07 2011|14:36:00|302013|192.1
In this case I try to connect through a browser to the https://192.168.111.1 adress which also works fine when I´m on the internal network, but not through the tunnel. It´s a bit messy, but perhaps you can make something out of it. The IP-address of my machine on the home network is 192.168.0.200
I also found Management Access Rules, just like normal ACLs. Do I have to configure those to? They are set to IP deny at the moment.
__________________________
6|Mar 07 2011|14:36:00|302014|192.1
6|Mar 07 2011|14:36:00|725007|192.1
6|Mar 07 2011|14:36:00|725002|192.1
6|Mar 07 2011|14:36:00|725001|192.1
6|Mar 07 2011|14:36:00|302013|192.1
6|Mar 07 2011|14:36:00|302014|192.1
6|Mar 07 2011|14:36:00|302013|192.1
6|Mar 07 2011|14:36:00|302014|192.1
6|Mar 07 2011|14:36:00|725007|192.1
6|Mar 07 2011|14:36:00|725002|192.1
6|Mar 07 2011|14:36:00|725001|192.1
6|Mar 07 2011|14:36:00|302013|192.1
6|Mar 07 2011|14:36:00|302014|192.1
6|Mar 07 2011|14:36:00|302013|192.1
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Still the same problem... Let me know if you come up with something after that well deserved cup of java.. ;-)
ASKER
Just another piece of info: I can ping the IP-number of the internal interface, but cannot access it using ASDM or HTTPS...
ASKER
It should be on the inside, but I got the whole network mask wrong. So in conclusion, this is the current, working config:
management-access inside
http server enable
http 192.168.111.0 255.255.255.0 inside
http 192.168.0.0 255.255.255.0 inside
Thanks!
management-access inside
http server enable
http 192.168.111.0 255.255.255.0 inside
http 192.168.0.0 255.255.255.0 inside
Thanks!
Could you post a sanitized config of the ASA? I'm getting quite curious now why it isn't working...
ASKER
Cross transmission erniebeek... ;-) Problem solved if you look at my latest comment.
Thanks again!
Thanks again!
Ok good.
You might wanna get a cup'o'java yourself ;)
You might wanna get a cup'o'java yourself ;)
management-access inside