topic Re: Unable to SSH/TELNET/HTTPS to Management interface from outside network in Network Security

Unable to SSH/TELNET/HTTPS to Management interface from outside network

shaikk.mydeen — Sat, 22 Feb 2020 07:35:36 GMT

I have a ASA 5585 with single slot (No IPS), Simple network, ASA Outside interface connected to Internet /Wan and Inside interface to LAN , ASA Management 0/0 is connected to LAN Access switch Management VLAN.

I have allowed any any policy for management interface.

Able to access the Inside Management VLAN segment from outside network except the ASA Management.

In the ASA specifically mentioned external segment IP for ssh, telnet and HTTPS access

ssh 10.51.x.x 255.255.X.X management

telnet 10.51.x.x 255.255.X.X management

https 10.51.x.x 255.255.X.X management

Re: Unable to SSH/TELNET/HTTPS to Management interface from outside network

Marius Gunnerud — Sun, 06 May 2018 07:24:41 GMT

It looks as though you are trying to access the management interface from the 10.51.x.x network on the Internet/WAN. This will never work as the ASA does not allow traffic to an interface on the ASA that is not the ingress interface. So to access the mgmt0/0 for administrative purposes you will either need to access it from a device on the 10.55.10.x/24 network, or that the traffic is routed via the switch and then to the mgmt0/0 interface. To access the mgmt0/0 from the internet you would need to set up a RA VPN, add the command management-access management (replace management with the name you have given the interface). You would also need to add the command ssh x.x.x.x y.y.y.y management to allow traffic from the VPN IP pool.

Keep in mind that interface access lists such as the any any you added to management interface does not affect "to the box" management traffic. This access list only affects traffic passing through the ASA.

Re: Unable to SSH/TELNET/HTTPS to Management interface from outside network

shaikk.mydeen — Sun, 06 May 2018 09:41:41 GMT

Thanks Marius,

As you stated "that the traffic is routed via the switch and then to the mgmt0/0 interface" what kind of route should be done? Since when I tried to add the default gateway for the ASA Mgmt0/0 to the L3 Management VLAN Interface of Switch, It didnt worked.

Thanks

Sheik Mytheen M

Re: Unable to SSH/TELNET/HTTPS to Management interface from outside network

shaikk.mydeen — Sun, 06 May 2018 10:54:38 GMT

Addition to it...

Please find the routes

route outside 0.0.0.0 0.0.0.0 <default gate connected to outside interface>
route inside 10.55.0.0 255.255.0.0 10.55.1.2 (connected to inside interface)

as management is directly connected , route addition doesn't affect the packet flow.

My aim is with the current setup need to access the management from outside network.

Re: Unable to SSH/TELNET/HTTPS to Management interface from outside network

Dennis Mink — Sun, 06 May 2018 11:13:03 GMT

did you add a route management 0.0.0.0 0.0.0.0 10.51.10,x ?so it has a way back to a non direct connected subnet?

Re: Unable to SSH/TELNET/HTTPS to Management interface from outside network

Marius Gunnerud — Sun, 06 May 2018 11:16:25 GMT

Adding a route to the for management network that points to the inside interface is pointless. A directly connected interface will always be prefered over a route, even if you set the administrative distance to 1.

It really depends what you are trying to access on the management interface. If you are trying to manage the ASA via the mgmt interface from the outside network, then you must use a VPN, there really is no other way around this. On the other hand, if you have a jumpstation server on the inside network, you could set up a NAT in the ASA that goes to this jump on port tcp/3389 and then RDP to that server and then manage the ASA from that server.

Re: Unable to SSH/TELNET/HTTPS to Management interface from outside network

shaikk.mydeen — Mon, 07 May 2018 05:18:25 GMT

route outside 0.0.0.0 0.0.0.0 (Outside interface connected IP) is configured. Configuring the same for the management interface is not allowed, i.e

(conf)#route management 0.0.0.0 0.0.0.0 (Outside interface connected IP)

Error: cannot add route entry, conflict with existing routes

Re: Unable to SSH/TELNET/HTTPS to Management interface from outside network

Marius Gunnerud — Mon, 07 May 2018 05:26:08 GMT

Yes this is correct. And if you apply a more general route (ex. /16) and change the administrative distance, the connected route will still be preferred.

I have provided you with the options to connect to the ASA management interface from the outside network already. Again, they are connect over an RA VPN (AnyConnect) or setup a jumpstation on your inside network.

Re: Unable to SSH/TELNET/HTTPS to Management interface from outside ne

sachin garg — Fri, 07 Feb 2025 04:48:55 GMT

IS this still same logic in latest OS versions?