In a previous post I had a problem where the ASA or the rest of devices in the management vlan are accessable by VPN but not all at the same time (https://community.cisco.com/t5/network-management/can-access-hosts-in-management-vlan-either-or-asa-management-ip/td-p/5203099).

The problem arose because the management vlan was accessible both via the transit VLAN (coming from L3 core switch) and directly connected on L2 to the ASA. So I have removed the L2 interface for vlan management on the ASA. Only the transit VLAN remains and the WAN interfaces of course.

For now I am able to manage the ASA on it's ip address in the transit VLAN (ASA 192.168.200.1/31, core 192.168.200.0/31).

I suspect that is not the best choice to have the ASA's management ip address on the transit VLAN.

My question is how to setup another interface for the management and being able to access the ASA coming from one of the internal VLANs through the transit VLAN to the ASA?

I already configure another interface with an ip address (i. e. 192.168.50.10) on the same trunk where the transit VLAN exists. I can ping the ASA but I am not able to access it via asdm and ssh. Packet tracer shows a drop/deny because of "implicit rule". I guess it's the global implicit rule. But doesn't make any sense to me.

When I move the management ip address (192.168.50.10) to a dedicated interface the ASA log shows that the traffic for routes to WAN because of the default route 0.0.0.0. It looks like the ASA doesn't know that this interface is locally connected and instead wants to forward that traffic to WAN.