cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1710
Views
5
Helpful
4
Replies

ASA5506 management-access inside not working.

Garry Cross
Level 1
Level 1

So we have a brand new ASA5506 in a remote office. We configured a ikev2 ipsec tunnel to connect to the head office. The tunnel is up and working fine. There is a switch connected to inside and a /30 subnet between it and the firewall. We can access the switch on its address on this subnet but cannot access the firewall on the same subnet over the VPN. I have removed and added back the management-access inside command with no change in behaviour. Cannot ping it, cannot ssh or run ASDM on it. The relevant commands are as follows.

management-access inside

ssh 10.1.0.0 255.255.248.0 inside

http 10.1.0.0 255.255.248.0 inside

 

We have other ssh and http commands for the networks at the site and access if fine from there.

 

Anyone run into this before. I recall having this issue elsewhere once and for some reason it magically started working but am unsure why.

 

Thanks.

 

1 Accepted Solution

Accepted Solutions

Regardless of the default route, I would suggest adding the route-lookup keyword and then test.

I have seen the same results where one ASA grants access to the management-access inside IP and another (same model) required route-lookup. Not entirely sure why it is required on one but not the other, but solved the issue for me.
--
Please remember to select a correct answer and rate helpful posts

View solution in original post

4 Replies 4

Do you have a twice NAT / NAT exempt statement for 10.1.0.0/21 subnet?  If yes, do you have a route-lookup statement added to the end of this configuration?

--
Please remember to select a correct answer and rate helpful posts

There is a twice nat, otherwise I would not be able to access the remote switch on the same subnet. Sw 192.168.253.1 and ASA 192.168.253.2.

I do not have a route-lookup. Neither end has a route lookup on the twice nat. They both follow the default route to reach each other.

I can access the management interface of the head end from the remote site. But not the remote site from the head end.

Both are 5506, remote is 9.6(4)10, head end 9.8(1).

Saw some old bugs about this but fixed in much older code.

 

Regards

 

Regardless of the default route, I would suggest adding the route-lookup keyword and then test.

I have seen the same results where one ASA grants access to the management-access inside IP and another (same model) required route-lookup. Not entirely sure why it is required on one but not the other, but solved the issue for me.
--
Please remember to select a correct answer and rate helpful posts

I added route-lookup to both ends of the tunnel. It now works. Thank you

Review Cisco Networking for a $25 gift card