Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
884
Views
0
Helpful
4
Replies

Can't access management interface via vpn connection

proffessor1979
Level 1
Level 1

‎06-10-2009 09:37 AM - edited ‎02-21-2020 03:30 AM

Hi all,

I can't seem to be able to manage my ASA 5510 when I connect via vpn. My asa sits at a remote colo, and from my office i can connect fine. I have it configured as management-access (dmz), bc as of now we are just doing some staging and all the servers are in the dmz interface.

When i connect with the vpn client, in the routes it sees 192.168.1.0 255.255.255.0 which is the management network/interface.

For some reason I can't get access to 192.168.1.1 to use the ASDM.

Here is how i did my vpn via CLI

isakmp enable outside

isakmp identity address

isakmp policy 10

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

ip local pool vpnpool 10.1.1.2-10.1.1.10

access-list split_tunnel standard permit 192.168.200.0 255.255.255.0

access-list split_tunnel standard permit 192.168.100.0 255.255.255.0

access-list split_tunnel standard permit 192.168.1.0 255.255.255.0

group-policy xxxxx internal

group-policy xxxxx attributes

dns value

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split_tunnel

username xxxxx password

username xxxxxx attributes

vpn-group-policy xxxx

username xxxxxx password

username xxxxxx attributes

vpn-group-policy xxxx

username xxxx password

username xxxx attributes

vpn-group-policy xxxx

tunnel-group xxxx type ipsec-ra

tunnel-group xxxx general-attributes

address-pool vpnpool

tunnel-group xxxx ipsec-attributes

pre-shared-key

access-list vpnra permit ip 192.168.200.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list vpnra permit ip 192.168.100.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list vpnra permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0

nat (inside) 0 access-list vpnra

nat (dmz) 0 access-list vpnra

nat (management) 0 access-list vprna

crypto ipsec transform-set md5des esp-des esp-md5-hmac

crypto dynamic-map dynomap 10 set transform-set md5des

crypto map vpnpeer 20 ipsec-isakmp dynamic dynomap

crypto map vpnpeer interface outside

Any help would be much appreciated

0 Helpful
4 Replies 4

tkiel
Level 1
Level 1

‎06-10-2009 11:37 AM

it seems like you are missing a line:

management-access "interface"

http://www.cisco.com/en/US/docs/security/asa/asa71/command/reference/m_711.html#wp1631964

0 Helpful

proffessor1979
Level 1
Level 1
In response to tkiel

‎06-10-2009 11:44 AM

no I have that in there. see my first few lines. I configured management-access (dmz)

still can't use asdm through vpn. Could it be b/c of split tunneling is enabled or a binding issue? Not sure how to go about troubleshooting it.

Thanks for the reply

0 Helpful

proffessor1979
Level 1
Level 1
In response to tkiel

‎06-24-2009 10:39 AM

anyone? Still can't get access, it's very frustrating as it seems like a simple thing yet it's not working

0 Helpful

mmertens
Level 1
Level 1
In response to proffessor1979

‎07-31-2009 12:04 PM

Any luck on this? I have SSH access to the ASA when VPNing to that ASA, however, I cannot get to ASDM. I can get to ASDM from the inside. I do have my:

http 192.168.1.0 255.255.255.0 inside

management-access inside

Thanks!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card