AnyConnect: Remote ASDM access through VPN

NetworkStorm9000 · ‎11-10-2021

Hi,

I have an AnyConnect setup where I have several group policies that access several different VLAN.

One of them is called net-mgmt, and is located at GigabitEthernet1/2.301, which is part of the trunk called inside.

I have therefore set the Management Access Interface to net-mgmt.

I have under ASDM/HTTPS/Telnet/SSH set ASDM/HTTPS: net-mgmt: 192.168.101.0: 255.255.255.0

When I try to ping the device, the logs say "routing failed to locate next hop for icmp from outside 192.168.101.200/1 to net-mgmt: 192.168.101.250/0".

I have tried disabling all NAT rules without any effect. I have set AnyConnect to ignore any access rules. Pinging and connecting to all other hosts in the vlan works fine. Pinging and administering the firewall through local access works fine.

Do I need to make a NAT rule for this somehow? What would be in it, in that case? I want to be able to use ASDM and SSH from any IP within that subnet.

Rob Ingram · ‎11-10-2021

@NetworkStorm9000 you add the CLI command "management-access <interface name>" to manage the ASA (http, ssh, icmp) over a VPN.

NetworkStorm9000 · ‎11-10-2021

Thank you for your reply, @Rob Ingram .

I have set this via the gui, but when I look at the running-config, I get

management-access net-mgmt

This is what I expected. Most examples online use 'inside', but that doesn't have an IP in my setup, as I use this as a 'router on a stick with about 10 different VLAN.