Hello,

we would like to access ASA1`s management01 Interface IP (192.168.4.1) from a host behind ASA4´s Interface GigabitEthernet0/1.1 via ASDM.
The flow is  SRC: 10.10.10.5 DST: 192.168.4.1 Port: 443 & 22 (ASA4 > ASA3 > ASA2 > ASA1)

On ASA1 in the packet tracer I can see "no route to host" and in the log file "failed to locate egress interface".
We are able to access other hosts behind GigabitEthernet0/3 on ASA1 from hosts behind ASA4´s Interface GigabitEthernet0/1.1 just fine.

We have tried the following to make it work on ASA1:

specifiy "management-access management01"
configure SRC host from ASA4 to be allowed to access ASA1 via ASDM & SSH:

http 10.10.10.5 255.255.255.255 transfer-vpn
ssh 10.10.10.5 255.255.255.255 transfer-vpn

create NAT excemption rule
nat (transfer-vpn, management01) 7 source static 10.10.10.5 10.10.10.5 destination static 192.168.4.1 192.168.4.1 no-proxy-arp

also tried the other way around:

nat (management01, transfer-vpn) 7 source static 192.168.4.1 192.168.4.1 destination static 10.10.10.5 10.10.10.5 no-proxy-arp

create NAT excemption rule with "lookup route table to locate egress interface" enabled

ASAs 5545 is running 9.12(4)54

Do we miss something here or is this scenario even not possible?

ASA1:
GigabitEthernet0/2
nameif transfer-vpn
security-level 10
ip address 194.1.1.1 255.255.255.240

GigabitEthernet0/3
nameif management01
security level 100
ip address 192.168.4.1 255.255.255.0

<Transfer Network between ASA1 and ASA2>

ASA2:
GigabitEthernet0/2
nameif transfer-vpn
security-level 0
ip address 194.1.1.5 255.255.255.240

<VPN ASA2 to ASA3>

ASA3:
GigabitEthernet0/0
nameif outside
security-level 0
ip address 193.1.1.1 255.255.255.240

<Transfer Network between ASA3 and ASA4>

ASA4:

GigabitEthernet0/0
nameif outside
security-level 0
ip address 193.1.1.5 255.255.255.240

GigabitEthernet0/1.1
vlan 10
nameif hosts
security level 66
ip address 10.10.10.1 255.255.255.0

The IPs are of course not our real used.

Thank you