topic Thanks for the clarification. in Network Security

Access to management network

Julian Regel — Tue, 12 Mar 2019 07:46:43 GMT

I have an ASA that is being used for AnyConnect VPN access. The ASA has three interfaces: inside, outside and management.

The management interface is for:

- administration through ASDM from a host on the management network
- syslog to a centralised log host on the management network
- snmp to a monitoring host on the management network

All network access to the management network is through a core ASA server on the network (not the AnyConnect VPN ASA). This acts as a single choke point into the management network.

I want to grant access to the management network for AnyConnect VPN users, but I want that traffic to route through the core ASA and not straight out of the management interface.

Is this possible? Thanks.

Hi Julian,

Abhishek Purohit — Fri, 20 May 2016 13:43:42 GMT

Hi Julian,

The below link should help.

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/107596-asa-reverseroute.html

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/vpn_params.html

HTH,

Since the management network

Marius Gunnerud — Sun, 22 May 2016 07:40:23 GMT

Since the management network is directly connected to the ASA, sending traffic to the core ASA is not possible as the AnyConnect ASA sees the network as directly connected and will prefer that route. You would need to either implement an access server that you first jump to and then access the management network from there. Or, you can configure the AnyConnect ASA into multiple context mode with an Admin context and a second context with a name of your choice. The admin context will host the management interface and all other interfaces will be on the second context. Then configure routing to the management network to point to the core ASA.

Please remember to select a correct answer and rate helpful posts

Thanks for the reply.

Julian Regel — Fri, 27 May 2016 09:09:59 GMT

Thanks for the reply.

I don't think you can run AnyConnect VPN in a context, so splitting isn't an option?

I was hoping there was a way to separate routing for management plane traffic from data plane traffic, but it looks like this may not be possible.

Thanks for the reply.

Julian Regel — Fri, 27 May 2016 09:21:45 GMT

Thanks for the reply.

I've had a look at both links, but I can't see which bits are required to solve my issue. Please can you advise? Thanks.

As of ASA version 9.5(2) you

Marius Gunnerud — Fri, 27 May 2016 10:21:51 GMT

As of ASA version 9.5(2) you can have AnyConnect in multiple context mode.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa95/release/notes/asarn95.html

Remote Access Features

Support for Remote Access VPN in multiple context mode

You can now use the following remote access features in multiple context mode:

AnyConnect 3.x and later (SSL VPN only; no IKEv2 support)
Centralized AnyConnect image configuration
AnyConnect image upgrade
Context Resource Management for AnyConnect connections

Note: The AnyConnect Apex license is required for multiple context mode; you cannot use the default or legacy license.

We introduced the following commands: limit-resource vpn anyconnect, limit-resource vpn burst anyconnect

We modified the following screen: Configuration > Context Management > Resource Class > Add Resource Class

Please remember to select a correct answer and rate helpful posts

Thanks for the clarification.

Julian Regel — Fri, 27 May 2016 10:40:52 GMT

Thanks for the clarification. I hadn't seen that update.

Please remember to more the

Marius Gunnerud — Wed, 01 Jun 2016 09:33:50 GMT

Please remember to more the discussion as solved so we stop monitoring it.