• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1723
  • Last Modified:

issues with tftp from ASA via vpn tunnel

I have an issue when trying to tftp configs from a remote ASA that I have. I have a IPSEC tunnel from an ASA locally to the ASA remotely.

I know that the issue is the routing. The network that I am trying to reach has to go through the vpn tunnel. However when coming from the ASA itself, it tries to route it to the outside network.

How do I set up the routing so that the ASA knows to send the traffic originating from itself through the VPN. The rest of the network works fine and can reach the subnet that the ASA cant.
0
ryan80
Asked:
ryan80
  • 3
  • 2
1 Solution
 
Jimmy Larsson, CISSP, CEHNetwork and Security consultantCommented:
Your problem is probably not routing. I guess that you have a default route pointing towards your ISP and without any more specific routes configured your traffic from ASA to the remote network is following the default route. At least, that is the case in 99% of the cases with vpn-tunnels.

The problem is that, as far as I know, you cannot get traffic sources from the ASA itself to go into the vpn-tunnel. I currently have a case with a customer who wants to do something similar (they want to use a remote radius server to authenticate vpn clients, and reach the radius server over L2L vpn) and so far I havent succeeeded.

I would be more than happy if someone else here shows me/you if this is doable. I will stay tuned. ;)

Best regards
Kvistofta
0
 
ryan80Author Commented:
yes, that is the exact case that i have. I know it is the default route that is taking the traffic outside. But i just dont know how to get the traffic to go through the VPN tunnel. I have tried creating a route to route to itself on the inside, the ipsec peer, the other side internal IP, a few other things, but that does not work either.

I just dont know how to get it to work.
0
 
Jimmy Larsson, CISSP, CEHNetwork and Security consultantCommented:
Me neither. But I can tell you that it has nothing to do with routing. You have your default route, that is enough. The problem is with the definition of vpn-traffic in the crypto map. And I am not sure if you can do it the way you want.

I might be able to try it out in my home lab next week. Let me get back about that...

/Kvistofta
0
 
ryan80Author Commented:
i dont know if this helps, put if run an extended ping, and define the interface as inside, i can ping fine.

I have also done the same thing with tftp, where I define the tftp server on the inside interface and then it will work.

0
 
ryan80Author Commented:
Ok, so I spoke with cisco and found that this is the intended operation. When originating from the ASA you need to define what interface the traffic should be originating from.

However for me there is a way around this. I am using spiceworks to backup configs and was having issues with the tftp backup.

What you can do is predefine the tftp servers ip address and interface. Then when spiceworks gives the ip address of the tftp server, it will automatically use the correct interface.

0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

WEBINAR: 10 Easy Ways to Lose a Password

Join us on June 27th at 8 am PDT to learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees. We'll cover the importance of multi-factor authentication and how these solutions can better protect your business!

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now