请选择 进入手机版 | 继续访问电脑版

设为首页 收藏本站
思科社区 关注
思科社区

   思科 CCO 登录 推荐
 找回密码
 立即注册

搜索
热搜: 邮件服务器
查看: 422|回复: 6

CIscoASA建立ipsec之后对端无法访问ASA inside接口

[复制链接]
发表于 2019-3-4 10:29:27 | 显示全部楼层 |阅读模式
10可用金钱
两地通过IPSec VPN连接,vpn状态正常,A区可以正常访问B区的内网网段,但是就是不能访问B区CiscoASA的内网接口,管理设备只能通过公网接口,不方便也不太安全。请问ASA5525在哪里可以设置么?

最佳答案

查看完整内容

1楼正解。 Configure Management Access Over a VPN Tunnel If your VPN tunnel terminates on one interface, but you want to manage the ASA by accessing a different interface, you must identify that interface as a management-access interface. For example, if you enter the ASA from the outside interface, this feature lets you connect to the inside interface using ASDM, SSH, Telnet, or SNMP; or you c ...
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
发表于 2019-3-4 10:29:28 | 显示全部楼层
本帖最后由 xiaocqu 于 2019-3-5 22:07 编辑

1楼正解。

Configure Management Access Over a VPN Tunnel

If your VPN tunnel terminates on one interface, but you want to manage the ASA by accessing a different interface, you must identify that interface as a management-access interface. For example, if you enter the ASA from the outside interface, this feature lets you connect to the inside interface using ASDM, SSH, Telnet, or SNMP; or you can ping the inside interface when entering from the outside interface.
VPN access to an interface other than the one from which you entered the ASA is not supported. For example, if your VPN access is located on the outside interface, you can only initiate a connection directly to the outside interface. You should enable VPN on the directly-accessible interface of the ASA and use name resolution so that you don’t have to remember multiple addresses.
Management access is available via the following VPN tunnel types: IPsec clients, IPsec Site-to-Site, Easy VPN, and the AnyConnect SSL VPN client.

Before you begin

Due to routing considerations with the separate management and data routing tables, the VPN termination interface and the management access interface need to be the same type: both need to be management-only interfaces or regular data interfaces.

Procedure


Specify the name of the management interface that you want to access when entering the ASA from another interface.
management-access management_interface
For Easy VPN and Site-to-Site tunnels, you can specify a named BVI (in routed mode).

Example:
ciscoasa(config)# management-access inside


Reference link:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa910/configuration/general/asa-910-general-config/admin-management.html?bookSearch=true#ID-2111-000002c3

  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
发表于 2019-3-4 14:02:11 | 显示全部楼层
默认不允许对端网络访问inside接口,需要手动配置,记着好像management-access inside
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分5 (1 评价)
发表于 2019-3-4 14:09:48 | 显示全部楼层
跟着一起学习一下。
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
发表于 2019-3-5 19:40:19 | 显示全部楼层
请检查设备是否缺失如下配置:
http x.x.x.x x.x.x.x inside
ssh x.x.x.x x.x.x.x inside

x.x.x.x为ip地址及掩码
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
发表于 2019-3-6 14:45:31 | 显示全部楼层
management-access +内网接口
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
发表于 2019-3-6 23:48:28 | 显示全部楼层
你是内网接口没有配置管理ssh   web 的权限吧?
  • 1
  • 2
  • 3
  • 4
  • 5
  • 1
  • 2
  • 3
  • 4
  • 5
平均得分0 (0 评价)
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Archiver | 思科社区  

GMT+8, 2019-5-25 21:53 , Processed in 0.099496 second(s), 45 queries .

京ICP备09041801号-187

版权所有 :copyright:1992-2019 思科系统  重要声明 | 保密声明 | 隐私权政策 | 商标 |

快速回复 返回顶部 返回列表