cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2658
Views
0
Helpful
4
Replies

ASA management ip is not reachable when it is in another internal interface

duran_tci
Level 1
Level 1

Hi experts,

 

I'm newbie with ASA firewalls.

 

I have an ASA 5506-X with version 9.9(2)27. I'm trying to do a very simple configuration, two interfaces with one network on each one. The ASA is in routed mode, and I'm able to connect from a machine "A" from the 192.168.7.0/26 network to the machine "B" on the 192.168.37.0/26 network. But I'm not able to connect to the ASDM management IP 192.168.37.1 configured in the ASA from machine "A". I would like reach ASA management IP from 192.16.7.0/26 network in order to use ASDM from a different network.

 

The error that ASA displays in its logs when I try to connect from Machine A to the 192.168.37.1 is:

6 Dec 24 2019 13:45:45 192.168.7.53 50609 Failed to locate egress interface for TCP from inside:192.168.7.53/50609 to 192.168.37.1/443
6 Dec 24 2019 14:03:36 192.168.7.53 50715 Failed to locate egress interface for TCP from inside:192.168.7.53/50715 to 192.168.37.1/22
6 Dec 24 2019 14:03:58 192.168.7.53 50716 192.168.37.50 22 Built inbound TCP connection 587 for inside:192.168.7.53/50716 (192.168.7.53/50716) to HW-Management:192.168.37.50/22 (192.168.37.50/22)

 

The firewall rules is with any:any from each network and ASDM security is allowed also, really I don't see what is blocking the IP in the interface Gi1/8.

 

One picture to explain the configuration a little better:

  +------+192.168.7.53        192.168.7.1+-----+192.168.37.1      192.168.37.50+------+
  | PC A |-------------------------------| ASA |-------------------------------| PC B |
  +------+                          Gi1/3+-----+Gi1/8                          +------+
                           (Internal Net)       (Internal Net & 
                                                 Managemen Interface)

 

I attach a "show run" of ASA config (sensible information was removed).

 

Thanks for your help in advance :)

 

Warm regards and Merry Christmas!!

1 Accepted Solution

Accepted Solutions

You can manage the ASA via 192.168.7.1 from the network 192.168.7.0/24
You can manage the ASA via 192.168.37.1 from the network 192.168.37.0/24
You cannot manage the ASA via 192.168.37.1 from the network 192.168.7.0/24
You cannot manage the ASA via 192.168.7.1 from the network 192.168.37.0/24

Make sense?

You can only manage the ASA (ssh, asdm or icmp) from it's closest interface to source, you cannot expect to connect to an ASA interface other than the interface you are connecting from.

You will still need to allow permission, such as "http 192.168.7.0 255.255.255.0 <intf>"

HTH

View solution in original post

4 Replies 4

Hi,
That won't work by design. Management access to an ASA interface other than the one from which you entered the ASA is not supported. For example, if your management host is located on the outside interface, you can only initiate a management connection directly to the outside interface. The only exception to this rule is through a VPN connection.

FYI, the ACL rules apply to traffic going through the ASA not to, so they would never apply.

HTH

Thanks RJI for your fast reply.

 

Really I need reach the ASDM services from two networks, the HW-Management and another one designed for administrators and auditors. There's any option, solution or workaround that I can do in order to use ASDM from the two networks without add more routers, switches or devices? I would like maintain only the ASA and a Catalyst switch.

 

Thanks for your help!

 

Warm regards.

You can manage the ASA via 192.168.7.1 from the network 192.168.7.0/24
You can manage the ASA via 192.168.37.1 from the network 192.168.37.0/24
You cannot manage the ASA via 192.168.37.1 from the network 192.168.7.0/24
You cannot manage the ASA via 192.168.7.1 from the network 192.168.37.0/24

Make sense?

You can only manage the ASA (ssh, asdm or icmp) from it's closest interface to source, you cannot expect to connect to an ASA interface other than the interface you are connecting from.

You will still need to allow permission, such as "http 192.168.7.0 255.255.255.0 <intf>"

HTH

Thanks RJI, it makes all sense. I was too deep in mind with my HW-Management network that I was lost the perspective of the problem.

 

Thanks for your help!!

 

Have a nice Christmas :)

 

Warm regards!

 

Review Cisco Networking for a $25 gift card