Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1655
Views
10
Helpful
3
Replies

ASA 5505 intervlan ADSM/SSH Access

Go to solution
vgulinolite
Level 1
Level 1

‎06-30-2012 04:14 PM - edited ‎03-11-2019 04:25 PM

hello,

I am running into a issue that I cannot seem to figure out. I have a asa 5505 with the Security Plus license. I setup a native vlan where all of my network devices sit on. ie my Wireless Access point has an ip of 192.168.3.2, my switch .3. I have no issues managing these devices from any vlan I am on (permitting firewall access rules). When I try to access my ASA via ASDM/SSH. I have to use the gateway of the vlan I am on. For instance. If I am on vlan 10 I have to use 192.168.10.1 for access, if I am on vlan 20 I type 20.1...etc...etc If I type in 192.168.3.1 I get an error in the ASDM logs that states TCP reset by appliance. This is for any gateway I type except for the gateway of the vlan that I am connected to. I am posting a sanitized config. How can I configure the ASA to permit access via any gateway.

Labels:
130712-running.txt.zip
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎06-30-2012 09:04 PM

Yes, that is how the ASA works. You can only manage the ASA on the interface where you are connected from, not crossing the interface, with one exception if you are trying to manage the ASA via VPN tunnel, then you can manage 1 cross interface.

View solution in original post

Go to solution
Gautam Bhagwandas
Cisco Employee
Cisco Employee
In response to vgulinolite

‎07-01-2012 11:38 PM

Management-only command just tells the ASA to just pass all the "to the box" traffic which is typically ssh, telnet, http to the ASA. Its not going to alter the behaviour of the ASA and permit management from any vlan.

But like Jennifer said, you can manage that same interface designated as management-only through the vpn.

The command for the same is "management-access "

Command reference:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/m.html#wp2027985

View solution in original post

3 Replies 3

Go to solution
Jennifer Halim
Cisco Employee
Cisco Employee

‎06-30-2012 09:04 PM

Yes, that is how the ASA works. You can only manage the ASA on the interface where you are connected from, not crossing the interface, with one exception if you are trying to manage the ASA via VPN tunnel, then you can manage 1 cross interface.

Go to solution
vgulinolite
Level 1
Level 1
In response to Jennifer Halim

‎07-01-2012 02:04 PM

So this is by design? If I setup an interface for management only and patch it into my switch, would I then be able to manage the asa from any vlan?

Sent from Cisco Technical Support iPhone App

0 Helpful

Go to solution
Gautam Bhagwandas
Cisco Employee
Cisco Employee
In response to vgulinolite

‎07-01-2012 11:38 PM

Management-only command just tells the ASA to just pass all the "to the box" traffic which is typically ssh, telnet, http to the ASA. Its not going to alter the behaviour of the ASA and permit management from any vlan.

But like Jennifer said, you can manage that same interface designated as management-only through the vpn.

The command for the same is "management-access "

Command reference:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/m.html#wp2027985

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card