11-10-2021 12:12 PM
Hi,
I have an AnyConnect setup where I have several group policies that access several different VLAN.
One of them is called net-mgmt, and is located at GigabitEthernet1/2.301, which is part of the trunk called inside.
I have therefore set the Management Access Interface to net-mgmt.
I have under ASDM/HTTPS/Telnet/SSH set ASDM/HTTPS: net-mgmt: 192.168.101.0: 255.255.255.0
When I try to ping the device, the logs say "routing failed to locate next hop for icmp from outside 192.168.101.200/1 to net-mgmt: 192.168.101.250/0".
I have tried disabling all NAT rules without any effect. I have set AnyConnect to ignore any access rules. Pinging and connecting to all other hosts in the vlan works fine. Pinging and administering the firewall through local access works fine.
Do I need to make a NAT rule for this somehow? What would be in it, in that case? I want to be able to use ASDM and SSH from any IP within that subnet.
11-10-2021 12:19 PM - edited 11-10-2021 12:26 PM
@NetworkStorm9000 you add the CLI command "management-access <interface name>" to manage the ASA (http, ssh, icmp) over a VPN.
11-10-2021 12:27 PM
Thank you for your reply, @Rob Ingram .
I have set this via the gui, but when I look at the running-config, I get
management-access net-mgmt
This is what I expected. Most examples online use 'inside', but that doesn't have an IP in my setup, as I use this as a 'router on a stick with about 10 different VLAN.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide