Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1195
Views
0
Helpful
3
Replies

Remote access to management port from inside port

Serpent2010
Level 1
Level 1

‎12-08-2017 05:45 AM - edited ‎02-21-2020 06:55 AM

Hello,

I have question, and I am hoping this is a not duplicated issue

I have ASA5525 with active ports: inside(172.10.1.0/24), outside(10.10.1.0/23), and management(192.168.1.0/23)

.

I have VPN connection from outside to the inside without problem, However, my question is

 

How can I access the management port from inside/outside using VPN?

In other words, I need my management workstation located in inside/outside be able to run ASDM to access the ASA management port.

Any advise step by step

Thank you   

Labels:
0 Helpful
3 Replies 3

Bogdan Nita
VIP Alumni
VIP Alumni

‎12-08-2017 07:33 AM

To access the management interface of the ASA through VPN you need the following:

management-access management
nat (management,outside) source static obj-192.168.1.0_23 obj-192.168.1.0_23 destination static obj-remote-vpn obj-remote-vpn no-proxy-arp route-lookup

ssh <remote-vpn> <mask> management

 

Unfortunately you will not be able to access the management interface from an inside IP (172.10.1.0/24).

Traffic needs to arrive to the ASA on the management interface to be able to reach it. (exception VPN).

0 Helpful

Serpent2010
Level 1
Level 1
In response to Bogdan Nita

‎12-15-2017 12:33 PM

Hi Bogdan,

I believe, I can access the ASA management port from inside.

I saw this had implemented in one of the company branch. I believe I will need a L3 

 

 

 

 

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎12-15-2017 09:47 PM

First ensure that your management /23 subnet is included in your VPN tunnel. (i.e. either you are using "tunnelall" or the ACL referenced in "tunnelspecified" includes that network).

 

Next you have to override the normal routing behavior on the ASA. Normally it would think that the egress interface for the management subnet would be the management interface since it is connected and this has an administrative distance (AD) of 0. You can override that with a static route (AD =1) to a more specific set of subnets - i.e. a static route to the two /24s that comprise your /23. Set that static route to be an internal gateway (L3 switch or router) that has knowledge of how to route to both the ASA inside and management interfaces.

 

Finally make sure the ASA has a route for management interface that knows to use that same gateway for return traffic to the VPN client address pool

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card