05-16-2017 05:56 AM - edited 03-12-2019 02:22 AM
Sorry for such a rookie question. Kinda new at ASA's. I'm doing some basic configurations on an ASA that I'm getting remote access to. The ASA's management interface is connected to a 10.10.10.0/24 network and I'm coming in on a VPN connection with 10.10.20.0/24 address.
I've configured the interface.
interface Management0/0
management-only
nameif management
security-level 100
ip address 10.10.10.10 255.255.255.0
I'm confused on the routing piece to allow traffic from vpn subnet to the management interface. I'm sure it's something really simple.
05-16-2017 07:22 AM
http 10.10.20.0 255.255.255.0 management
ssh 10.10.20.0 255.255.255.0 management
telnet 10.10.20.0 255.255.255.0 management
management-access management
You also need to allow traffic in ACL that is used for VPN to define interested traffic on both end.
Can you post the VPN config so that I can assist you to do changes in ACL.
05-16-2017 10:20 AM
Thanks for the assistance!
The vpn configuration is on another firewall giving me access to the 10.10.10.0 network. When I do an ipconfig/all from laptop with the vpn running my vpn virtual adaptor gives me an address on the 10.10.20.0 network I'm assuming a route needs to be created for this to work.
05-17-2017 08:38 AM
Just checking to see if you have any further suggestions on this. Still can't quite figure out how to get access to that management interface. Thanks again for your suggestions.
05-17-2017 07:30 PM
It is most likely lack of a route on the ASA whose management interface you are trying to access. In most versions of ASA software (anything prior to 9.6) there is only a single routing table. If you have devices trying to access the management interface from anywhere not directly connected, the ASA will use that global routing table to determine the correct egress interface. It does not allow traffic to ingress on management and egress via a different interface.
Can you share the "show route" output from your ASA whose management interface you are trying to access?
05-18-2017 05:21 AM
05-18-2017 08:26 AM
The ASA would need a route to the 10.10.20.0 subnet where your VPN client's traffic originates from. If there's no other reason that ASA needs to reach that subnet it is fine to just add one thus:
route management 10.10.20.0 255.255.255.0 <gateway address>
If there are other reasons (besides management) why traffic through that ASA may need to reach that subnet then you need a more advanced solution that we can discuss if that is the case.
05-18-2017 10:26 AM
I actually tried this already and it didn't work. I'm assuming what they are telling is the gateway of the non-production environment is incorrect because I never been able to web to the interface with that route in place.
05-18-2017 09:04 PM
If you cannot get the routing for the managemnt interface fixed, you will either have to
1. use another interface for management or
2. run ASA 9.5(1) or later with the ability to use a separate management routing table. Reference:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/general/asa-95-general-config/route-overview.html#reference_F02E984EE51F49F5B979DE3ED9239EEE
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide