topic Re: How to manage (ssh/https) a cisco asa fom vpn anyconnect in Network Security

How to manage (ssh/https) a cisco asa fom vpn anyconnect

schnap — Wed, 21 Oct 2020 19:54:09 GMT

Hi,

Try to connect in ssh or https to a cisco asa. We need to manage the firewall by the vpn anyconnect. I'm able to connect to any device in the nertwork but not the firewall.

If I try to connect to the management port via vpn I receive this error:

Through-the-device packet to/from management-only network is denied: tcp src outside:x.x.x.x/51689(LOCAL\admin) dst management:x.x.x.x/22

I try to configure an other port for management with management-access mgmt2 and enable ssh and https on this port this is routed to a switch. So I connect to the firewall in vpn then passed throught the device and come back to the firewall. But id didn't work ....

I receive these error... (check all the firewall rule and nating and everything seems ok)

Routing failed to locate next hop for TCP from outside:x.x.x.x/51709 to mgmt2:x.x.x.x/8443

Built inbound TCP connection 33917206 for outside:x.x.x.x/51711 (x.x.x.x/51711)(LOCAL\admin) to mgmt2:x.x.x.x/8443 (x.x.x.x/8443) (admin)

Teardown TCP connection 33917206 for outside:x.x.x.x/51711(LOCAL\admin) to mgmt2:x.x.x.x/8443 duration 0:00:15 bytes 0 No valid adjacency (admin)

Thanks,

Re: How to manage (ssh/https) a cisco asa fom vpn anyconnect

Rob Ingram — Wed, 21 Oct 2020 20:09:05 GMT

Hi @schnap

You will need to configure the command management-access interface-name

Reference here:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/general/asa-98-general-config/admin-management.html

Re: How to manage (ssh/https) a cisco asa fom vpn anyconnect

schnap — Wed, 21 Oct 2020 20:12:53 GMT

This is already in my configuration:

management-access mgmt2

mgmt2 is an internal interface 10.160.223.250

Re: How to manage (ssh/https) a cisco asa fom vpn anyconnect

MHM Cisco World — Wed, 21 Oct 2020 21:47:38 GMT

do this

manage-access inside

same-security-traffic permit intra-interface

try this and let me know result.

Re: How to manage (ssh/https) a cisco asa fom vpn anyconnect

EU UC Support — Wed, 21 Oct 2020 22:18:24 GMT

What do you mean "...this is routed to a switch..."?

Did you make sure NAT exemption is applied for the traffic between the management interface and AnyConnect clients pool?

Re: How to manage (ssh/https) a cisco asa fom vpn anyconnect

schnap — Thu, 22 Oct 2020 11:48:34 GMT

These commands are already there and it's not working

Re: How to manage (ssh/https) a cisco asa fom vpn anyconnect

Marius Gunnerud — Thu, 22 Oct 2020 11:57:11 GMT

Things to check:

1. make sure that your anyconnect subnet is included in the ssh and http commands. for example ssh 1.1.1.0 255.255.255.0 mgmt2

2. If you are using split tunneling, make sure that the mgmt2 subnet is included in the split tunnel ACL

3. If you are using vpn filter, make sure there are no vpn filter ACL that are blocking this traffic in your anyconnect configuration

4. make sure that you have a twice NAT / NAT exempt statement for the management traffic

Re: How to manage (ssh/https) a cisco asa fom vpn anyconnect

schnap — Thu, 22 Oct 2020 11:57:54 GMT

Yes nat exemptions is there.

I connect in vpn to the public ip . I have multiple interface on the firewall port channel on interface and connected to a swith , for example vlan 500 is outside and vlan 400 mgmt2 that is my "inside interface" this passed through a switch

Re: How to manage (ssh/https) a cisco asa fom vpn anyconnect

Aref Alsouqi — Thu, 22 Oct 2020 12:21:58 GMT

Can you please post the sanitized configs for review?

Re: How to manage (ssh/https) a cisco asa fom vpn anyconnect

MHM Cisco World — Thu, 22 Oct 2020 12:28:13 GMT

Above two command there, that ok but are you sure managment is point to input not to management interface?

Now use route-lookup in NAT.