https://community.cisco.com/t5/network-security/access-asdm-from-different-interface/m-p/4841970#M1100816 <P>as&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/97036">@Rob Ingram</a>&nbsp; mention there is two plane in ASA&nbsp;<BR />DATA PLANE and MGMT PLANE&nbsp;</P> <P>it separate so access via test01 for subnet of test02 is not pass through the DATA PLANE and access failed&nbsp;<BR />you need to specify subnet that direct connect to interface use in command or use 0.0.0.0 (cisco not recommend this it risky)&nbsp;</P> Wed, 24 May 2023 17:38:58 GMT MHM Cisco World 2023-05-24T17:38:58Z https://community.cisco.com/t5/network-security/access-asdm-from-different-interface/m-p/4841949#M1100809 <P>Hello together,</P><P>I am trying to access our ASA via ASDM from another Interface than the Management Interface.<BR />I have multiple subinterfaces and I would like to access from one Host (Host A) behind Interface "test01" to the ASA via ASDM:</P><P>GigabitEthernet0/1.1<BR />vlan 22<BR />nameif test01<BR />security-level 92<BR />ip address 192.168.1.254 255.255.255.0</P><P>GigabitEthernet0/1.2<BR />vlan 33<BR />nameif test02<BR />security level 95<BR />ip address 192.168.2.254 255.255.255.0</P><P>If opening ASDM from Host A (192.168.1.5) and trying to connect to 192.168.2.254 it does not work.<BR />In the logs I can see that the ASA in unable to locate the egress Interface. If simulating the traffic via packet tracer it<BR />says "no route to host". But the interfaces are directly connected.</P><P>I have already tried to grant management access via:</P><P>http 192.168.1.5 255.255.255.255 test02</P><P><BR />Am I missing here something or is this not possible?</P><P><BR />ASA Version 9.12(4)47</P><P>ASDM Version 7.20(1)23</P><P><BR />Thanks in advance</P> Wed, 24 May 2023 14:24:59 GMT https://community.cisco.com/t5/network-security/access-asdm-from-different-interface/m-p/4841949#M1100809 jensscheuvens 2023-05-24T14:24:59Z https://community.cisco.com/t5/network-security/access-asdm-from-different-interface/m-p/4841951#M1100810 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/151372">@jensscheuvens</a> if you are connected behind test01 interface of the ASA you can only connect using SSH, HTTP (ASDM) etc to the closest interface (test01), not a far interface (test02) - thats' by design. The only exception to that if mgmt was over a VPN.</P> <P>FYI, packet-tracer if for traffic "through" the ASA, not "to" the ASA so is not representative.</P> Wed, 24 May 2023 14:31:02 GMT https://community.cisco.com/t5/network-security/access-asdm-from-different-interface/m-p/4841951#M1100810 Rob Ingram 2023-05-24T14:31:02Z https://community.cisco.com/t5/network-security/access-asdm-from-different-interface/m-p/4841953#M1100811 <P>Hi</P> <P>&nbsp;Use&nbsp;http 0.0.0.0 0.0.0.0 <SPAN>test01</SPAN></P> Wed, 24 May 2023 14:30:51 GMT https://community.cisco.com/t5/network-security/access-asdm-from-different-interface/m-p/4841953#M1100811 Flavio Miranda 2023-05-24T14:30:51Z https://community.cisco.com/t5/network-security/access-asdm-from-different-interface/m-p/4841955#M1100812 <P>check comment above</P> Thu, 25 May 2023 08:40:07 GMT https://community.cisco.com/t5/network-security/access-asdm-from-different-interface/m-p/4841955#M1100812 MHM Cisco World 2023-05-25T08:40:07Z https://community.cisco.com/t5/network-security/access-asdm-from-different-interface/m-p/4841968#M1100814 <P>Thanks for your answer. It is the same when trying to access the device via SSH from 192.168.1.5 "failed to locate egress interface"</P> Wed, 24 May 2023 14:45:05 GMT https://community.cisco.com/t5/network-security/access-asdm-from-different-interface/m-p/4841968#M1100814 jensscheuvens 2023-05-24T14:45:05Z https://community.cisco.com/t5/network-security/access-asdm-from-different-interface/m-p/4841969#M1100815 <P>http 192.168.1.5 255.255.255.255 test01 &lt;&lt;- if you want to access via test01 subnet</P><P>Yes I would like to access from 192.168.1.5 via ASDM to 192.168.2.254.</P><P>I tested both but with the same result</P><P>&nbsp;</P> Wed, 24 May 2023 14:46:41 GMT https://community.cisco.com/t5/network-security/access-asdm-from-different-interface/m-p/4841969#M1100815 jensscheuvens 2023-05-24T14:46:41Z https://community.cisco.com/t5/network-security/access-asdm-from-different-interface/m-p/4841970#M1100816 <P>as&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/97036">@Rob Ingram</a>&nbsp; mention there is two plane in ASA&nbsp;<BR />DATA PLANE and MGMT PLANE&nbsp;</P> <P>it separate so access via test01 for subnet of test02 is not pass through the DATA PLANE and access failed&nbsp;<BR />you need to specify subnet that direct connect to interface use in command or use 0.0.0.0 (cisco not recommend this it risky)&nbsp;</P> Wed, 24 May 2023 17:38:58 GMT https://community.cisco.com/t5/network-security/access-asdm-from-different-interface/m-p/4841970#M1100816 MHM Cisco World 2023-05-24T17:38:58Z https://community.cisco.com/t5/network-security/access-asdm-from-different-interface/m-p/4841979#M1100817 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/151372">@jensscheuvens</a> but your configuration is incorrect if connecting from 192.168.1.5, the source interface is test01.</P> <P>http 192.168.1.5 255.255.255.255 test0<STRONG>1</STRONG></P> <P>...then connect to 129.168.1.254.</P> <P>As I mentioned you cannot be connected behind test01 interface and connect to test02 interface.</P> Wed, 24 May 2023 14:56:34 GMT https://community.cisco.com/t5/network-security/access-asdm-from-different-interface/m-p/4841979#M1100817 Rob Ingram 2023-05-24T14:56:34Z https://community.cisco.com/t5/network-security/access-asdm-from-different-interface/m-p/4841980#M1100818 <P>check above&nbsp;</P> Thu, 25 May 2023 08:40:27 GMT https://community.cisco.com/t5/network-security/access-asdm-from-different-interface/m-p/4841980#M1100818 MHM Cisco World 2023-05-25T08:40:27Z https://community.cisco.com/t5/network-security/access-asdm-from-different-interface/m-p/4841983#M1100819 <P>This is the command you need to configure if you access from 192.168.1.5</P> <LI-CODE lang="markup">asdm image flash:asdm-openjre-7xx-1xx.bin ! aaa authentication http console LOCAL aaa authorization exec LOCAL auto-enable aaa authentication login-history ! http server enable http server idle-timeout 60 https 192.168.1.5 255.255.255.255 test01</LI-CODE> <P>&nbsp;</P> Wed, 24 May 2023 15:01:21 GMT https://community.cisco.com/t5/network-security/access-asdm-from-different-interface/m-p/4841983#M1100819 Sheraz.Salim 2023-05-24T15:01:21Z https://community.cisco.com/t5/network-security/access-asdm-from-different-interface/m-p/4841988#M1100820 <P>His interface IP is .254 not .5&nbsp;<BR />just want to notice you&nbsp;<BR />thanks&nbsp;<BR />MHM</P> Wed, 24 May 2023 15:04:32 GMT https://community.cisco.com/t5/network-security/access-asdm-from-different-interface/m-p/4841988#M1100820 MHM Cisco World 2023-05-24T15:04:32Z https://community.cisco.com/t5/network-security/access-asdm-from-different-interface/m-p/4842556#M1100848 <P>&nbsp;</P><P>Hi,&nbsp;</P><P>I&nbsp; have configured&nbsp;http 192.168.1.5 255.255.255.255 test01.&nbsp;<BR />It was a mistake that I wrote above test02.</P><P>Ok thanks for your explanations and it is now clear to me.</P><P>One question which came to my mind yesterday:</P><P>If performing a NAT like:</P><P>SRC INT:&nbsp;test01<BR />SRC: 192.168.1.5</P><P>DST INT:&nbsp;test02<BR />SRC: 192.168.2.254</P><P>would that work?</P> Thu, 25 May 2023 07:25:28 GMT https://community.cisco.com/t5/network-security/access-asdm-from-different-interface/m-p/4842556#M1100848 jensscheuvens 2023-05-25T07:25:28Z https://community.cisco.com/t5/network-security/access-asdm-from-different-interface/m-p/4842629#M1100849 <P>192.168.2.254 is the IP address of test02 which is Firewall interface GigabitEthernet0/1.2.</P> <P>unless you do something like this</P> <P>object network Real-IP-test01</P> <P>&nbsp;host 192.168.1.5</P> <P>!</P> <P>nat (test01,test02) source static Real-IP-test01 Interface</P> <P>&nbsp;</P> <P>or</P> <P>object network Real-IP2</P> <P>&nbsp;host 192.168.2.100</P> <P>nat(test01,test02) source static Real-IP-test01 Real-IP2</P> Thu, 25 May 2023 08:35:40 GMT https://community.cisco.com/t5/network-security/access-asdm-from-different-interface/m-p/4842629#M1100849 Sheraz.Salim 2023-05-25T08:35:40Z https://community.cisco.com/t5/network-security/access-asdm-from-different-interface/m-p/4842631#M1100850 <P>Thank you every one. The thread can be closed then</P> Thu, 25 May 2023 08:38:50 GMT https://community.cisco.com/t5/network-security/access-asdm-from-different-interface/m-p/4842631#M1100850 jensscheuvens 2023-05-25T08:38:50Z https://community.cisco.com/t5/network-security/access-asdm-from-different-interface/m-p/4842634#M1100851 <P>You are so welcome&nbsp;</P> Thu, 25 May 2023 08:40:44 GMT https://community.cisco.com/t5/network-security/access-asdm-from-different-interface/m-p/4842634#M1100851 MHM Cisco World 2023-05-25T08:40:44Z