Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1532
Views
0
Helpful
2
Replies

ASA Management ACL Configuration and Usage

pj0503311
Level 1
Level 1

‎12-12-2018 08:59 AM - edited ‎02-21-2020 08:34 AM

I'm trying to get some information on how to properly configure the Mgt ACL in ASDM/CLI for management access to the ASA. When I configure it to allow connections from my IP address and then attempt to SSH to it I get a "connection closed" and syslogs show the ASA replying with a TCP Reset immediately. If I create the ACL then attempt to add my address via the SSH or HTTP commands I get something along the lines of "IP is already allowed management access" because the Mgt ACL is already configured with the same IP.

 

Anyone have any experience with allowing to-the-box management via the Mgt ACL? Our big reason for wanting to look into this would be to move from static IP's having management access to focusing on SGTs having management access.

 

Are we missing any configuration anywhere else to make this happen?

0 Helpful
2 Replies 2

Babak Bagherzadegan
Level 1
Level 1

‎12-12-2018 07:15 PM

Hi pj0503311,

Have you allowed connections from the interface from which you are trying?
Can you send the piece of configuration you have done?

0 Helpful

pj0503311
Level 1
Level 1
In response to Babak Bagherzadegan

‎12-13-2018 09:21 AM

Here is what we have configured:

access-list Management_Access extended permit tcp security-group name SGT_Network_Admin any any eq ssh
access-list Management_Access extended permit tcp host 10.8.43.21 any eq ssh

 

access-group Management_Access in interface outside control-plane

 

When this ACL is configured I no longer get a "connection refused" message but a "connection closed" or "connection reset" message with a corresponding "TCP reset send by device" syslog message. So the ASA isn't blocking the connection per-se but it isn't exactly accepting it either.

 

When I add the IP address in the above ACL to the SSH allowed IP listing via "ssh 10.8.43.21 255.255.255.255 outside" then it works. This is the method by which we've been managing all of our ASA's for years. But, it would seem that with the Manaagement ACL in place we shouldn't have to rely on static IP's but rather move to using SGT's to determine to-the-box access. However, the "ssh ....." config option is still recommended as a backup in case the management ACL were to be written incorrectly.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card