Solved

Access to internal interface IP over IPSec

Posted on 2011-03-07
11
1,525 Views
Last Modified: 2012-06-21
Hi Experts!

On my corporate network (192.168.111.0/24) I am running a Cisco ASA 5505 (8.3.1) firewall. I have configured an IPSec tunnel from my home network (192.168.0.0/24) and everything works fine, except one thing:

I can access all the resources on the remote network (192.168.111.0/24) except the internal interface on 192.168.111.1. This means that I cannot configure the ASA through the VPN tunnel which is not a big problem, but would be nice to have solved.

I´m new to the Cisco product so I have probably overlooked something. As I am not familiar with the telnet commands yet, I have configured using the ASDM.

Greatful for any insights on this matter.

Thanks
Lospilotos
0
Comment
Question by:lospilotos
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
11 Comments
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35055849
Try the command:
management-access inside
0
 

Author Comment

by:lospilotos
ID: 35056141
Thanks for pointing me in the probably right direction, but it did not quite work. You are right in the fact that the explanation of the command you gave in the ASDM is exactly that: To enable configuration via an site-to-site tunnel.

I found the Mangement Acess config though where only the coroprate network was added:

dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.111.0 255.255.255.0 inside

I also added the home network to that now so this is its current state:

dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.111.0 255.255.255.0 inside
http 192.168.0.0 255.255.255.0 inside

Should perhaps the 192.168.0.0 be on the outside instead?
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35056263
Nope, not on the outside. This should do the trick.

Perhaps something is blocked. Did you have a look at the ASA's logs to see if anything is being dropped?
0
Optimum High-Definition Video Viewing and Control

The ATEN VM0404HA 4x4 4K HDMI Matrix Switch supports 4K resolutions of UHD (3840 x 2160) and DCI (4096 x 2160) with refresh rates of 30 Hz (4:4:4) and 60 Hz (4:2:0). It is ideal for applications where the routing of 4K digital signals is required.

 

Author Comment

by:lospilotos
ID: 35056459
Of course, logs are always a good thing:

In this case I try to connect through a browser to the https://192.168.111.1 adress which also works fine when I´m on the internal network, but not through the tunnel. It´s a bit messy, but perhaps you can make something out of it. The IP-address of my machine on the home network is 192.168.0.200

I also found Management Access Rules, just like normal ACLs. Do I have to configure those to? They are set to IP deny at the moment.
___________________________________________________
6|Mar 07 2011|14:36:00|302014|192.168.0.200|62638|192.168.111.1|443|Teardown TCP connection 177402 for outside:192.168.0.200/62638 to identity:192.168.111.1/443 duration 0:00:00 bytes 577 TCP Reset-O
6|Mar 07 2011|14:36:00|725007|192.168.0.200|62638|||SSL session with client inside:192.168.0.200/62638 terminated.
6|Mar 07 2011|14:36:00|725002|192.168.0.200|62638|||Device completed SSL handshake with client inside:192.168.0.200/62638
6|Mar 07 2011|14:36:00|725001|192.168.0.200|62638|||Starting SSL handshake with client inside:192.168.0.200/62638 for TLSv1 session.
6|Mar 07 2011|14:36:00|302013|192.168.0.200|62638|192.168.111.1|443|Built inbound TCP connection 177402 for outside:192.168.0.200/62638 (192.168.0.200/62638) to identity:192.168.111.1/443 (192.168.111.1/443)
6|Mar 07 2011|14:36:00|302014|192.168.0.200|62638|192.168.111.1|443|Teardown TCP connection 177401 for outside:192.168.0.200/62638 to identity:192.168.111.1/443 duration 0:00:00 bytes 0 Flow terminated by TCP Intercept
6|Mar 07 2011|14:36:00|302013|192.168.0.200|62638|192.168.111.1|443|Built inbound TCP connection 177401 for outside:192.168.0.200/62638 (192.168.0.200/62638) to identity:192.168.111.1/443 (192.168.111.1/443)
6|Mar 07 2011|14:36:00|302014|192.168.0.200|62637|192.168.111.1|443|Teardown TCP connection 177400 for outside:192.168.0.200/62637 to identity:192.168.111.1/443 duration 0:00:00 bytes 577 TCP Reset-O
6|Mar 07 2011|14:36:00|725007|192.168.0.200|62637|||SSL session with client inside:192.168.0.200/62637 terminated.
6|Mar 07 2011|14:36:00|725002|192.168.0.200|62637|||Device completed SSL handshake with client inside:192.168.0.200/62637
6|Mar 07 2011|14:36:00|725001|192.168.0.200|62637|||Starting SSL handshake with client inside:192.168.0.200/62637 for TLSv1 session.
6|Mar 07 2011|14:36:00|302013|192.168.0.200|62637|192.168.111.1|443|Built inbound TCP connection 177400 for outside:192.168.0.200/62637 (192.168.0.200/62637) to identity:192.168.111.1/443 (192.168.111.1/443)
6|Mar 07 2011|14:36:00|302014|192.168.0.200|62637|192.168.111.1|443|Teardown TCP connection 177399 for outside:192.168.0.200/62637 to identity:192.168.111.1/443 duration 0:00:00 bytes 0 Flow terminated by TCP Intercept
6|Mar 07 2011|14:36:00|302013|192.168.0.200|62637|192.168.111.1|443|Built inbound TCP connection 177399 for outside:192.168.0.200/62637 (192.168.0.200/62637) to identity:192.168.111.1/443 (192.168.111.1/443)
0
 
LVL 35

Accepted Solution

by:
Ernie Beek earned 125 total points
ID: 35056489
Darn, too little coffee.....

You were right, it should be:

management-access inside

http server enable
http 192.168.111.0 255.255.255.0 inside
http 192.168.0.0 255.255.255.0 outside

Because the vpn client's ip terminates on the outside interface...........

[off to the coffee machine now]
0
 

Author Comment

by:lospilotos
ID: 35056644
Still the same problem... Let me know if you come up with something after that well deserved cup of java.. ;-)
0
 

Author Comment

by:lospilotos
ID: 35056654
Just another piece of info: I can ping the IP-number of the internal interface, but cannot access it using ASDM or HTTPS...
0
 

Author Closing Comment

by:lospilotos
ID: 35056835
It should be on the inside, but I got the whole network mask wrong. So in conclusion, this is the current, working config:

management-access inside

http server enable
http 192.168.111.0 255.255.255.0 inside
http 192.168.0.0 255.255.255.0 inside

Thanks!
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35056838
Could you post a sanitized config of the ASA? I'm getting quite curious now why it isn't working...
0
 

Author Comment

by:lospilotos
ID: 35056849
Cross transmission erniebeek... ;-) Problem solved if you look at my latest comment.

Thanks again!
0
 
LVL 35

Expert Comment

by:Ernie Beek
ID: 35056853
Ok good.

You might wanna get a cup'o'java yourself ;)
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

WARNING:   If you follow the instructions here, you will wipe out your VTP and VLAN configurations.  Make sure you have backed up your switch!!! I recently had some issues with a few low-end Cisco routers (RV325) and I opened a case with Cisco TA…
On Feb. 28, Amazon’s Simple Storage Service (S3) went down after an employee issued the wrong command during a debugging exercise. Among those affected were big names like Netflix, Spotify and Expedia.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Both in life and business – not all partnerships are created equal. As the demand for cloud services increases, so do the number of self-proclaimed cloud partners. Asking the right questions up front in the partnership, will enable both parties …
Suggested Courses
Course of the Month6 days, 8 hours left to enroll

634 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question