If you need to TFTP new software (or any other file for that fact) onto a ASA from a TFTP server that is on the other side of a VPN tunnel, you will need to specify the source interface for the TFTP client to use.
The easiest way to do this, is to specify it inline with the copy command:
copy tftp://192.168.1.30/ASA/asa842-k8.bin;int=INSIDE-management disk0:/asa842-k8.bin
Where, 192.168.1.30 is the IP of the TFTP server. INSIDE-management should be replaced with whatever interface you want to use as source.
Do you need to ping the inside interface of a ASA across a VPN tunnel?
Maybe you need to do this for monitoring purposes, or whatever.
Allow access of ICMP to the inside interface:
icmp permit host 192.168.1.10 inside
Monitoring station —> 192.168.1.10
Inside interface —> inside
Cisco ASA 8.3 has introduced major changes in how NAT is configured and operates.
This video is a excellent resource for a basic introduction to NAT on ASA 8.3 software:
Here are some quick notes that I have gathered for my reference. Feel free to post any additional comments and notes you may have to share:
show run objects
(Displays network and service objects that are in the running confg)
show run object id
(Displays a specific object)
show run nat
(Displays running config NAT configurations)
(Displays NAT policies and counters)
Use packet-tracer for testing NAT (and other things)
packet-tracer input inside tcp 10.0.0.40 4444 220.127.116.11 80
- Configure Auto-NAT:
object network inside subnet 192.168.1.0 255.255.255.0 nat (inside,outside) dynamic interface
Note: This will configure PAT onto the outside interface for the inside subnet, while at the same time configuring the network object for the inside subnet.
Configure Twice(manual) NAT:
nat (inside,outside) source dynamic inside-net translated-ip destination static cisco-dot-com cisco-dot-com
Note: You must first define the network objects for the source and destination before configuring manual NAT. In this example, the source IP address of the inside host is translated to “translated-ip” only when the dynamic host is sending a packet that is destined to “cisco-dot-com”. cisco-dot-com is entered twice because we are not translating the destination. If we wanted to translate the destination, we would do it here.
Exempt subnets from NAT because of VPN tunnel:
nat (inside,outside) static inside-net inside-net destination static vpn-subnets vpn-subnets
This statement will catch traffic on the inside trying to go to the outside. Traffic that matches the source and destination is operated on but no change is made.
- General Notes:
ASA 8.3 has two types of NAT: Auto-NAT and Twice (manual) NAT. You can use Auto-NAT for most NAT/PAT operations, except for ones that need to make a decision based upon the destination address of a packet.
With ASA 8.3, a new change called “Real IP” was introduced. Real IP means that NAT translation happens BEFORE a ACL is checked. Therefore ACLs must contain the real IP address of the host that the inbound packet is headed towards. In other words, do not write the ACL to match on the “mapped” IP address. The real IP address is normally a non-routable IP address.
Something strange happened today when I went to SSH into my ASA cluster.
Upon running ssh I got this error message:
ssh_exchange_identification: Connection closed by remote host
I started Google searching for information on this error message and found some people writing that the error could be resolved by making some changes on the client. If you view the log on the ASA, you will see a error message that states:
Fail to establish SSH session because RSA host key retrieval failed.
This indicates that the problem is not with the client at all. Rather, the problem is with the server end, in this case, the ASA. The issues is that the ASA does not have a RSA host key.
Resolve this issue by running these commands below in the CLI. Remember that you can still run CLI commands from the ASDM. Launch the ASDM. Click on Tools. Click on Command Line Interface. Click on Multiple Line.
Commands to run:
conf t crypto key generate rsa modulus 2048 wr mem
Now you should be able to log in just fine.
See this link for more information on SSH configuration on the ASA: