Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1941
Views
5
Helpful
4
Replies

ASA5506 management-access inside not working.

Go to solution
Garry Cross
Level 1
Level 1

‎01-17-2020 06:22 AM

So we have a brand new ASA5506 in a remote office. We configured a ikev2 ipsec tunnel to connect to the head office. The tunnel is up and working fine. There is a switch connected to inside and a /30 subnet between it and the firewall. We can access the switch on its address on this subnet but cannot access the firewall on the same subnet over the VPN. I have removed and added back the management-access inside command with no change in behaviour. Cannot ping it, cannot ssh or run ASDM on it. The relevant commands are as follows.

management-access inside

ssh 10.1.0.0 255.255.248.0 inside

http 10.1.0.0 255.255.248.0 inside

 

We have other ssh and http commands for the networks at the site and access if fine from there.

 

Anyone run into this before. I recall having this issue elsewhere once and for some reason it magically started working but am unsure why.

 

Thanks.

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP
In response to Garry Cross

‎01-17-2020 02:24 PM

Regardless of the default route, I would suggest adding the route-lookup keyword and then test.

I have seen the same results where one ASA grants access to the management-access inside IP and another (same model) required route-lookup. Not entirely sure why it is required on one but not the other, but solved the issue for me.
--
Please remember to select a correct answer and rate helpful posts

View solution in original post

4 Replies 4

Go to solution
Marius Gunnerud
VIP
VIP

‎01-17-2020 01:45 PM

Do you have a twice NAT / NAT exempt statement for 10.1.0.0/21 subnet?  If yes, do you have a route-lookup statement added to the end of this configuration?

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Garry Cross
Level 1
Level 1
In response to Marius Gunnerud

‎01-17-2020 02:04 PM

There is a twice nat, otherwise I would not be able to access the remote switch on the same subnet. Sw 192.168.253.1 and ASA 192.168.253.2.

I do not have a route-lookup. Neither end has a route lookup on the twice nat. They both follow the default route to reach each other.

I can access the management interface of the head end from the remote site. But not the remote site from the head end.

Both are 5506, remote is 9.6(4)10, head end 9.8(1).

Saw some old bugs about this but fixed in much older code.

 

Regards

 

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Garry Cross

‎01-17-2020 02:24 PM

Regardless of the default route, I would suggest adding the route-lookup keyword and then test.

I have seen the same results where one ASA grants access to the management-access inside IP and another (same model) required route-lookup. Not entirely sure why it is required on one but not the other, but solved the issue for me.
--
Please remember to select a correct answer and rate helpful posts

Go to solution
Garry Cross
Level 1
Level 1
In response to Marius Gunnerud

‎01-20-2020 06:28 AM

I added route-lookup to both ends of the tunnel. It now works. Thank you

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card