取消
显示结果 
搜索替代 
您的意思是: 
cancel
4796
查看次数
10
有帮助
6
回复

CIscoASA建立ipsec之后对端无法访问ASA inside接口

Cheven
Spotlight
Spotlight
两地通过IPSec VPN连接,vpn状态正常,A区可以正常访问B区的内网网段,但是就是不能访问B区CiscoASA的内网接口,管理设备只能通过公网接口,不方便也不太安全。请问ASA5525在哪里可以设置么?
1 个已接受解答

已接受的解答

xiaocqu
Spotlight
Spotlight
本帖最后由 xiaocqu 于 2019-3-5 22:07 编辑
1楼正解。

Configure Management Access Over a VPN Tunnel

If your VPN tunnel terminates on one interface, but you want to manage the ASA by accessing a different interface, you must identify that interface as a management-access interface. For example, if you enter the ASA from the outside interface, this feature lets you connect to the inside interface using ASDM, SSH, Telnet, or SNMP; or you can ping the inside interface when entering from the outside interface.
VPN access to an interface other than the one from which you entered the ASA is not supported. For example, if your VPN access is located on the outside interface, you can only initiate a connection directly to the outside interface. You should enable VPN on the directly-accessible interface of the ASA and use name resolution so that you don’t have to remember multiple addresses.
Management access is available via the following VPN tunnel types: IPsec clients, IPsec Site-to-Site, Easy VPN, and the AnyConnect SSL VPN client.

Before you begin

Due to routing considerations with the separate management and data routing tables, the VPN termination interface and the management access interface need to be the same type: both need to be management-only interfaces or regular data interfaces.

Procedure




Specify the name of the management interface that you want to access when entering the ASA from another interface.
management-access management_interface
For Easy VPN and Site-to-Site tunnels, you can specify a named BVI (in routed mode).

Example:
ciscoasa(config)# management-access inside


Reference link:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa910/configuration/general/asa-910-general-config/admin-management.html?bookSearch=true#ID-2111-000002c3

在原帖中查看解决方案

6 条回复6

xiaocqu
Spotlight
Spotlight
本帖最后由 xiaocqu 于 2019-3-5 22:07 编辑
1楼正解。

Configure Management Access Over a VPN Tunnel

If your VPN tunnel terminates on one interface, but you want to manage the ASA by accessing a different interface, you must identify that interface as a management-access interface. For example, if you enter the ASA from the outside interface, this feature lets you connect to the inside interface using ASDM, SSH, Telnet, or SNMP; or you can ping the inside interface when entering from the outside interface.
VPN access to an interface other than the one from which you entered the ASA is not supported. For example, if your VPN access is located on the outside interface, you can only initiate a connection directly to the outside interface. You should enable VPN on the directly-accessible interface of the ASA and use name resolution so that you don’t have to remember multiple addresses.
Management access is available via the following VPN tunnel types: IPsec clients, IPsec Site-to-Site, Easy VPN, and the AnyConnect SSL VPN client.

Before you begin

Due to routing considerations with the separate management and data routing tables, the VPN termination interface and the management access interface need to be the same type: both need to be management-only interfaces or regular data interfaces.

Procedure




Specify the name of the management interface that you want to access when entering the ASA from another interface.
management-access management_interface
For Easy VPN and Site-to-Site tunnels, you can specify a named BVI (in routed mode).

Example:
ciscoasa(config)# management-access inside


Reference link:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa910/configuration/general/asa-910-general-config/admin-management.html?bookSearch=true#ID-2111-000002c3

yanglei
Level 1
Level 1
默认不允许对端网络访问inside接口,需要手动配置,记着好像management-access inside

18653465190
Spotlight
Spotlight
跟着一起学习一下。

liu_zhimin
Spotlight
Spotlight
请检查设备是否缺失如下配置:
http x.x.x.x x.x.x.x inside
ssh x.x.x.x x.x.x.x inside
x.x.x.x为ip地址及掩码

song zhang
Level 1
Level 1
management-access +内网接口:P

fortune
VIP Alumni
VIP Alumni
你是内网接口没有配置管理ssh web 的权限吧?
入门指南

使用上面的搜索栏输入关键字、短语或问题,搜索问题的答案。

我们希望您在这里的旅程尽可能顺利,因此这里有一些链接可以帮助您快速熟悉思科社区:









快捷链接