05-20-2016 04:32 AM - edited 03-12-2019 12:46 AM
I have an ASA that is being used for AnyConnect VPN access. The ASA has three interfaces: inside, outside and management.
The management interface is for:
- administration through ASDM from a host on the management network
- syslog to a centralised log host on the management network
- snmp to a monitoring host on the management network
All network access to the management network is through a core ASA server on the network (not the AnyConnect VPN ASA). This acts as a single choke point into the management network.
I want to grant access to the management network for AnyConnect VPN users, but I want that traffic to route through the core ASA and not straight out of the management interface.
Is this possible? Thanks.
Solved! Go to Solution.
05-27-2016 03:21 AM
As of ASA version 9.5(2) you can have AnyConnect in multiple context mode.
http://www.cisco.com/c/en/us/td/docs/security/asa/asa95/release/notes/asarn95.html
--
Please remember to select a correct answer and rate helpful posts
05-20-2016 06:43 AM
Hi Julian,
The below link should help.
http://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/107596-asa-reverseroute.html
or
http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/vpn_params.html
HTH,
Ab
05-27-2016 02:21 AM
Thanks for the reply.
I've had a look at both links, but I can't see which bits are required to solve my issue. Please can you advise? Thanks.
05-22-2016 12:40 AM
Since the management network is directly connected to the ASA, sending traffic to the core ASA is not possible as the AnyConnect ASA sees the network as directly connected and will prefer that route. You would need to either implement an access server that you first jump to and then access the management network from there. Or, you can configure the AnyConnect ASA into multiple context mode with an Admin context and a second context with a name of your choice. The admin context will host the management interface and all other interfaces will be on the second context. Then configure routing to the management network to point to the core ASA.
--
Please remember to select a correct answer and rate helpful posts
05-27-2016 02:09 AM
Thanks for the reply.
I don't think you can run AnyConnect VPN in a context, so splitting isn't an option?
I was hoping there was a way to separate routing for management plane traffic from data plane traffic, but it looks like this may not be possible.
05-27-2016 03:21 AM
As of ASA version 9.5(2) you can have AnyConnect in multiple context mode.
http://www.cisco.com/c/en/us/td/docs/security/asa/asa95/release/notes/asarn95.html
--
Please remember to select a correct answer and rate helpful posts
05-27-2016 03:40 AM
Thanks for the clarification. I hadn't seen that update.
06-01-2016 02:33 AM
Please remember to more the discussion as solved so we stop monitoring it.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide