cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


722
Views
0
Helpful
3
Replies
Beginner

Remote access to management port from inside port

Hello,

I have question, and I am hoping this is a not duplicated issue

I have ASA5525 with active ports: inside(172.10.1.0/24), outside(10.10.1.0/23), and management(192.168.1.0/23)

.

I have VPN connection from outside to the inside without problem, However, my question is

 

How can I access the management port from inside/outside using VPN?

In other words, I need my management workstation located in inside/outside be able to run ASDM to access the ASA management port.

Any advise step by step

Thank you   

Everyone's tags (2)
3 REPLIES 3
Highlighted
Rising star

Re: Remote access to management port from inside port

To access the management interface of the ASA through VPN you need the following:

management-access management
nat (management,outside) source static obj-192.168.1.0_23 obj-192.168.1.0_23 destination static obj-remote-vpn obj-remote-vpn no-proxy-arp route-lookup

ssh <remote-vpn> <mask> management

 

Unfortunately you will not be able to access the management interface from an inside IP (172.10.1.0/24).

Traffic needs to arrive to the ASA on the management interface to be able to reach it. (exception VPN).

Highlighted
Beginner

Re: Remote access to management port from inside port

Hi Bogdan,

I believe, I can access the ASA management port from inside.

I saw this had implemented in one of the company branch. I believe I will need a L3 

 

 

 

 

Highlighted
Hall of Fame Guru

Re: Remote access to management port from inside port

First ensure that your management /23 subnet is included in your VPN tunnel. (i.e. either you are using "tunnelall" or the ACL referenced in "tunnelspecified" includes that network).

 

Next you have to override the normal routing behavior on the ASA. Normally it would think that the egress interface for the management subnet would be the management interface since it is connected and this has an administrative distance (AD) of 0. You can override that with a static route (AD =1) to a more specific set of subnets - i.e. a static route to the two /24s that comprise your /23. Set that static route to be an internal gateway (L3 switch or router) that has knowledge of how to route to both the ASA inside and management interfaces.

 

Finally make sure the ASA has a route for management interface that knows to use that same gateway for return traffic to the VPN client address pool

CreatePlease to create content
Content for Community-Ad
FusionCharts will render here