Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
914
Views
5
Helpful
7
Replies

Access to management network

Go to solution
Julian Regel
Level 1
Level 1

‎05-20-2016 04:32 AM - edited ‎03-12-2019 12:46 AM

I have an ASA that is being used for AnyConnect VPN access. The ASA has three interfaces: inside, outside and management.

The management interface is for:

- administration through ASDM from a host on the management network
- syslog to a centralised log host on the management network
- snmp to a monitoring host on the management network


All network access to the management network is through a core ASA server on the network (not the AnyConnect VPN ASA). This acts as a single choke point into the management network.

I want to grant access to the management network for AnyConnect VPN users, but I want that traffic to route through the core ASA and not straight out of the management interface.

Is this possible? Thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP
In response to Julian Regel

‎05-27-2016 03:21 AM

As of ASA version 9.5(2) you can have AnyConnect in multiple context mode.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa95/release/notes/asarn95.html

Remote Access Features

Support for Remote Access VPN in multiple context mode

You can now use the following remote access features in multiple context mode:

  • AnyConnect 3.x and later (SSL VPN only; no IKEv2 support)
  • Centralized AnyConnect image configuration
  • AnyConnect image upgrade
  • Context Resource Management for AnyConnect connections

Note: The AnyConnect Apex license is required for multiple context mode; you cannot use the default or legacy license.

We introduced the following commands: limit-resource vpn anyconnect, limit-resource vpn burst anyconnect

We modified the following screen: Configuration > Context Management > Resource Class > Add Resource Class

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

7 Replies 7

Go to solution
Abhishek Purohit
Level 1
Level 1

‎05-20-2016 06:43 AM

Hi Julian,

The below link should help.

http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/107596-asa-reverseroute.html

or

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/vpn_params.html

HTH,

Ab

Regards, Abhishek Purohit CCIE-S- 35269
0 Helpful

Go to solution
Julian Regel
Level 1
Level 1
In response to Abhishek Purohit

‎05-27-2016 02:21 AM

Thanks for the reply.

I've had a look at both links, but I can't see which bits are required to solve my issue. Please can you advise? Thanks.

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP

‎05-22-2016 12:40 AM

Since the management network is directly connected to the ASA, sending traffic to the core ASA is not possible as the AnyConnect ASA sees the network as directly connected and will prefer that route.  You would need to either implement an access server that you first jump to and then access the management network from there. Or, you can configure the AnyConnect ASA into multiple context mode with an Admin context and a second context with a name of your choice.  The admin context will host the management interface and all other interfaces will be on the second context.  Then configure routing to the management network to point to the core ASA.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Julian Regel
Level 1
Level 1
In response to Marius Gunnerud

‎05-27-2016 02:09 AM

Thanks for the reply.

I don't think you can run AnyConnect VPN in a context, so splitting isn't an option?

I was hoping there was a way to separate routing for management plane traffic from data plane traffic, but it looks like this may not be possible.

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Julian Regel

‎05-27-2016 03:21 AM

As of ASA version 9.5(2) you can have AnyConnect in multiple context mode.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa95/release/notes/asarn95.html

Remote Access Features

Support for Remote Access VPN in multiple context mode

You can now use the following remote access features in multiple context mode:

  • AnyConnect 3.x and later (SSL VPN only; no IKEv2 support)
  • Centralized AnyConnect image configuration
  • AnyConnect image upgrade
  • Context Resource Management for AnyConnect connections

Note: The AnyConnect Apex license is required for multiple context mode; you cannot use the default or legacy license.

We introduced the following commands: limit-resource vpn anyconnect, limit-resource vpn burst anyconnect

We modified the following screen: Configuration > Context Management > Resource Class > Add Resource Class

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Go to solution
Julian Regel
Level 1
Level 1
In response to Marius Gunnerud

‎05-27-2016 03:40 AM

Thanks for the clarification. I hadn't seen that update.

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Julian Regel

‎06-01-2016 02:33 AM

Please remember to more the discussion as solved so we stop monitoring it.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card