Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1620
  • Last Modified:

Access to internal interface IP over IPSec

Hi Experts!

On my corporate network (192.168.111.0/24) I am running a Cisco ASA 5505 (8.3.1) firewall. I have configured an IPSec tunnel from my home network (192.168.0.0/24) and everything works fine, except one thing:

I can access all the resources on the remote network (192.168.111.0/24) except the internal interface on 192.168.111.1. This means that I cannot configure the ASA through the VPN tunnel which is not a big problem, but would be nice to have solved.

I´m new to the Cisco product so I have probably overlooked something. As I am not familiar with the telnet commands yet, I have configured using the ASDM.

Greatful for any insights on this matter.

Thanks
Lospilotos
0
lospilotos
Asked:
lospilotos
  • 6
  • 5
1 Solution
 
Ernie BeekExpertCommented:
Try the command:
management-access inside
0
 
lospilotosAuthor Commented:
Thanks for pointing me in the probably right direction, but it did not quite work. You are right in the fact that the explanation of the command you gave in the ASDM is exactly that: To enable configuration via an site-to-site tunnel.

I found the Mangement Acess config though where only the coroprate network was added:

dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.111.0 255.255.255.0 inside

I also added the home network to that now so this is its current state:

dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.111.0 255.255.255.0 inside
http 192.168.0.0 255.255.255.0 inside

Should perhaps the 192.168.0.0 be on the outside instead?
0
 
Ernie BeekExpertCommented:
Nope, not on the outside. This should do the trick.

Perhaps something is blocked. Did you have a look at the ASA's logs to see if anything is being dropped?
0
Building an Effective Phishing Protection Program

Join Director of Product Management Todd OBoyle on April 26th as he covers the key elements of a phishing protection program. Whether you’re an old hat at phishing education or considering starting a program -- we'll discuss critical components that should be in any program.

 
lospilotosAuthor Commented:
Of course, logs are always a good thing:

In this case I try to connect through a browser to the https://192.168.111.1 adress which also works fine when I´m on the internal network, but not through the tunnel. It´s a bit messy, but perhaps you can make something out of it. The IP-address of my machine on the home network is 192.168.0.200

I also found Management Access Rules, just like normal ACLs. Do I have to configure those to? They are set to IP deny at the moment.
___________________________________________________
6|Mar 07 2011|14:36:00|302014|192.168.0.200|62638|192.168.111.1|443|Teardown TCP connection 177402 for outside:192.168.0.200/62638 to identity:192.168.111.1/443 duration 0:00:00 bytes 577 TCP Reset-O
6|Mar 07 2011|14:36:00|725007|192.168.0.200|62638|||SSL session with client inside:192.168.0.200/62638 terminated.
6|Mar 07 2011|14:36:00|725002|192.168.0.200|62638|||Device completed SSL handshake with client inside:192.168.0.200/62638
6|Mar 07 2011|14:36:00|725001|192.168.0.200|62638|||Starting SSL handshake with client inside:192.168.0.200/62638 for TLSv1 session.
6|Mar 07 2011|14:36:00|302013|192.168.0.200|62638|192.168.111.1|443|Built inbound TCP connection 177402 for outside:192.168.0.200/62638 (192.168.0.200/62638) to identity:192.168.111.1/443 (192.168.111.1/443)
6|Mar 07 2011|14:36:00|302014|192.168.0.200|62638|192.168.111.1|443|Teardown TCP connection 177401 for outside:192.168.0.200/62638 to identity:192.168.111.1/443 duration 0:00:00 bytes 0 Flow terminated by TCP Intercept
6|Mar 07 2011|14:36:00|302013|192.168.0.200|62638|192.168.111.1|443|Built inbound TCP connection 177401 for outside:192.168.0.200/62638 (192.168.0.200/62638) to identity:192.168.111.1/443 (192.168.111.1/443)
6|Mar 07 2011|14:36:00|302014|192.168.0.200|62637|192.168.111.1|443|Teardown TCP connection 177400 for outside:192.168.0.200/62637 to identity:192.168.111.1/443 duration 0:00:00 bytes 577 TCP Reset-O
6|Mar 07 2011|14:36:00|725007|192.168.0.200|62637|||SSL session with client inside:192.168.0.200/62637 terminated.
6|Mar 07 2011|14:36:00|725002|192.168.0.200|62637|||Device completed SSL handshake with client inside:192.168.0.200/62637
6|Mar 07 2011|14:36:00|725001|192.168.0.200|62637|||Starting SSL handshake with client inside:192.168.0.200/62637 for TLSv1 session.
6|Mar 07 2011|14:36:00|302013|192.168.0.200|62637|192.168.111.1|443|Built inbound TCP connection 177400 for outside:192.168.0.200/62637 (192.168.0.200/62637) to identity:192.168.111.1/443 (192.168.111.1/443)
6|Mar 07 2011|14:36:00|302014|192.168.0.200|62637|192.168.111.1|443|Teardown TCP connection 177399 for outside:192.168.0.200/62637 to identity:192.168.111.1/443 duration 0:00:00 bytes 0 Flow terminated by TCP Intercept
6|Mar 07 2011|14:36:00|302013|192.168.0.200|62637|192.168.111.1|443|Built inbound TCP connection 177399 for outside:192.168.0.200/62637 (192.168.0.200/62637) to identity:192.168.111.1/443 (192.168.111.1/443)
0
 
Ernie BeekExpertCommented:
Darn, too little coffee.....

You were right, it should be:

management-access inside

http server enable
http 192.168.111.0 255.255.255.0 inside
http 192.168.0.0 255.255.255.0 outside

Because the vpn client's ip terminates on the outside interface...........

[off to the coffee machine now]
0
 
lospilotosAuthor Commented:
Still the same problem... Let me know if you come up with something after that well deserved cup of java.. ;-)
0
 
lospilotosAuthor Commented:
Just another piece of info: I can ping the IP-number of the internal interface, but cannot access it using ASDM or HTTPS...
0
 
lospilotosAuthor Commented:
It should be on the inside, but I got the whole network mask wrong. So in conclusion, this is the current, working config:

management-access inside

http server enable
http 192.168.111.0 255.255.255.0 inside
http 192.168.0.0 255.255.255.0 inside

Thanks!
0
 
Ernie BeekExpertCommented:
Could you post a sanitized config of the ASA? I'm getting quite curious now why it isn't working...
0
 
lospilotosAuthor Commented:
Cross transmission erniebeek... ;-) Problem solved if you look at my latest comment.

Thanks again!
0
 
Ernie BeekExpertCommented:
Ok good.

You might wanna get a cup'o'java yourself ;)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

  • 6
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now