Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
294
Views
5
Helpful
2
Replies

Remote access through VPN

Go to solution
ryancisco01
Level 1
Level 1

‎08-15-2016 11:58 PM - edited ‎03-12-2019 01:07 AM

Hi Guys,

Cisco ASA 9.1

Have created a new vpn tunnel solely for management purposes of network devices. there are 3 interfaces on the ASA

outside

Inside

Management

there are devices that connect off the Inside Interface and I can connect to them just fine.

I canot however connect to the ASA itself on the management interface or another device which is on the management interface (same subnet) 

The SA shows packets are being decrypted, however packet capture on the management interface shows no traffic leaving the interface.

I am aware of the "route lookup" command, however I am not running any nat on the firewall, i even tried adding a no nat anyway but it did not make a difference.

Here is config snippet:

ssh 192.168.1.0 255.255.255.0 management
management-access management

interface Management0/0
speed 100
duplex full
management-only
nameif management
security-level 100
ip address 10.0.0.1 255.255.255.0

There is no acl on the outside interface or management interface

As I say the access to the Inside network works fine, I suspect, is it possible "management-only" command will not route traffic out? I have never used this command before so I am not sure what it does and it seems to affect access to devices via this interface.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Luke Oxley
Level 1
Level 1

‎08-17-2016 04:23 AM

ryancisco01,

Thanks for your post. If you connect a laptop directly to the management interface an statically assign it an IP address in the same subnet are you able to connect?
You are correct that for security purposes, the "management-only" command will not allow that interface to pass through any traffic. If you remove this, VPN peers should be able to access devices on that LAN providing the rest of your configuration is correct.
For your requirements, I'd suggest removing this command and testing again. Let me know how you get along.

Kind regards,
Luke

Please rate helpful posts and mark correct answers.

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Luke Oxley
Level 1
Level 1

‎08-17-2016 04:23 AM

ryancisco01,

Thanks for your post. If you connect a laptop directly to the management interface an statically assign it an IP address in the same subnet are you able to connect?
You are correct that for security purposes, the "management-only" command will not allow that interface to pass through any traffic. If you remove this, VPN peers should be able to access devices on that LAN providing the rest of your configuration is correct.
For your requirements, I'd suggest removing this command and testing again. Let me know how you get along.

Kind regards,
Luke

Please rate helpful posts and mark correct answers.

0 Helpful

Go to solution
ryancisco01
Level 1
Level 1
In response to Luke Oxley

‎08-17-2016 03:17 PM

Thanks yep I ended up using the Inside interface on the asa to pass the traffic through and that worked fine. 

For anyone else reading this, the management-only command will indeed allow you to connect to it directly, but it will not allow transient traffic through. 

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card