topic Thanks yep I ended up using in Network Security

Remote access through VPN

ryancisco01 — Tue, 12 Mar 2019 08:07:58 GMT

Hi Guys,

Cisco ASA 9.1

Have created a new vpn tunnel solely for management purposes of network devices. there are 3 interfaces on the ASA

outside

Inside

Management

there are devices that connect off the Inside Interface and I can connect to them just fine.

I canot however connect to the ASA itself on the management interface or another device which is on the management interface (same subnet)

The SA shows packets are being decrypted, however packet capture on the management interface shows no traffic leaving the interface.

I am aware of the "route lookup" command, however I am not running any nat on the firewall, i even tried adding a no nat anyway but it did not make a difference.

Here is config snippet:

ssh 192.168.1.0 255.255.255.0 management
management-access management

interface Management0/0
speed 100
duplex full
management-only
nameif management
security-level 100
ip address 10.0.0.1 255.255.255.0

There is no acl on the outside interface or management interface

As I say the access to the Inside network works fine, I suspect, is it possible "management-only" command will not route traffic out? I have never used this command before so I am not sure what it does and it seems to affect access to devices via this interface.

@ryancisco01,

Luke Oxley — Wed, 17 Aug 2016 11:23:43 GMT

ryancisco01,

Thanks for your post. If you connect a laptop directly to the management interface an statically assign it an IP address in the same subnet are you able to connect?

You are correct that for security purposes, the "management-only" command will not allow that interface to pass through any traffic. If you remove this, VPN peers should be able to access devices on that LAN providing the rest of your configuration is correct.

For your requirements, I'd suggest removing this command and testing again. Let me know how you get along.

Kind regards,

Luke

Please rate helpful posts and mark correct answers.

Thanks yep I ended up using

ryancisco01 — Wed, 17 Aug 2016 22:17:49 GMT

Thanks yep I ended up using the Inside interface on the asa to pass the traffic through and that worked fine.

For anyone else reading this, the management-only command will indeed allow you to connect to it directly, but it will not allow transient traffic through.