cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1829
Views
0
Helpful
2
Replies

ASA Management ACL Configuration and Usage

pj0503311
Level 1
Level 1

I'm trying to get some information on how to properly configure the Mgt ACL in ASDM/CLI for management access to the ASA. When I configure it to allow connections from my IP address and then attempt to SSH to it I get a "connection closed" and syslogs show the ASA replying with a TCP Reset immediately. If I create the ACL then attempt to add my address via the SSH or HTTP commands I get something along the lines of "IP is already allowed management access" because the Mgt ACL is already configured with the same IP.

 

Anyone have any experience with allowing to-the-box management via the Mgt ACL? Our big reason for wanting to look into this would be to move from static IP's having management access to focusing on SGTs having management access.

 

Are we missing any configuration anywhere else to make this happen?

2 Replies 2

Hi pj0503311,

Have you allowed connections from the interface from which you are trying?
Can you send the piece of configuration you have done?

Here is what we have configured:

access-list Management_Access extended permit tcp security-group name SGT_Network_Admin any any eq ssh
access-list Management_Access extended permit tcp host 10.8.43.21 any eq ssh

 

access-group Management_Access in interface outside control-plane

 

When this ACL is configured I no longer get a "connection refused" message but a "connection closed" or "connection reset" message with a corresponding "TCP reset send by device" syslog message. So the ASA isn't blocking the connection per-se but it isn't exactly accepting it either.

 

When I add the IP address in the above ACL to the SSH allowed IP listing via "ssh 10.8.43.21 255.255.255.255 outside" then it works. This is the method by which we've been managing all of our ASA's for years. But, it would seem that with the Manaagement ACL in place we shouldn't have to rely on static IP's but rather move to using SGT's to determine to-the-box access. However, the "ssh ....." config option is still recommended as a backup in case the management ACL were to be written incorrectly.

Review Cisco Networking for a $25 gift card