issues with tftp from ASA via vpn tunnel

I have an issue when trying to tftp configs from a remote ASA that I have. I have a IPSEC tunnel from an ASA locally to the ASA remotely.

I know that the issue is the routing. The network that I am trying to reach has to go through the vpn tunnel. However when coming from the ASA itself, it tries to route it to the outside network.

How do I set up the routing so that the ASA knows to send the traffic originating from itself through the VPN. The rest of the network works fine and can reach the subnet that the ASA cant.
LVL 12
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Jimmy Larsson, CISSP, CEHNetwork and Security consultantCommented:
Your problem is probably not routing. I guess that you have a default route pointing towards your ISP and without any more specific routes configured your traffic from ASA to the remote network is following the default route. At least, that is the case in 99% of the cases with vpn-tunnels.

The problem is that, as far as I know, you cannot get traffic sources from the ASA itself to go into the vpn-tunnel. I currently have a case with a customer who wants to do something similar (they want to use a remote radius server to authenticate vpn clients, and reach the radius server over L2L vpn) and so far I havent succeeeded.

I would be more than happy if someone else here shows me/you if this is doable. I will stay tuned. ;)

Best regards
ryan80Author Commented:
yes, that is the exact case that i have. I know it is the default route that is taking the traffic outside. But i just dont know how to get the traffic to go through the VPN tunnel. I have tried creating a route to route to itself on the inside, the ipsec peer, the other side internal IP, a few other things, but that does not work either.

I just dont know how to get it to work.
Jimmy Larsson, CISSP, CEHNetwork and Security consultantCommented:
Me neither. But I can tell you that it has nothing to do with routing. You have your default route, that is enough. The problem is with the definition of vpn-traffic in the crypto map. And I am not sure if you can do it the way you want.

I might be able to try it out in my home lab next week. Let me get back about that...


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ryan80Author Commented:
i dont know if this helps, put if run an extended ping, and define the interface as inside, i can ping fine.

I have also done the same thing with tftp, where I define the tftp server on the inside interface and then it will work.

ryan80Author Commented:
Ok, so I spoke with cisco and found that this is the intended operation. When originating from the ASA you need to define what interface the traffic should be originating from.

However for me there is a way around this. I am using spiceworks to backup configs and was having issues with the tftp backup.

What you can do is predefine the tftp servers ip address and interface. Then when spiceworks gives the ip address of the tftp server, it will automatically use the correct interface.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.