Thanks for the assistance!

alter-sol · ‎05-16-2017

Sorry for such a rookie question. Kinda new at ASA's. I'm doing some basic configurations on an ASA that I'm getting remote access to. The ASA's management interface is connected to a 10.10.10.0/24 network and I'm coming in on a VPN connection with 10.10.20.0/24 address.

I've configured the interface.

interface Management0/0
management-only
nameif management
security-level 100
ip address 10.10.10.10 255.255.255.0

I'm confused on the routing piece to allow traffic from vpn subnet to the management interface. I'm sure it's something really simple.

Spooster IT Services · ‎05-16-2017

http 10.10.20.0 255.255.255.0 management

ssh 10.10.20.0 255.255.255.0 management

telnet 10.10.20.0 255.255.255.0 management

management-access management

You also need to allow traffic in ACL that is used for VPN to define interested traffic on both end.

Can you post the VPN config so that I can assist you to do changes in ACL.

Spooster IT Services Team

alter-sol · ‎05-16-2017

Thanks for the assistance!

The vpn configuration is on another firewall giving me access to the 10.10.10.0 network. When I do an ipconfig/all from laptop with the vpn running my vpn virtual adaptor gives me an address on the 10.10.20.0 network I'm assuming a route needs to be created for this to work.

alter-sol · ‎05-17-2017

Just checking to see if you have any further suggestions on this. Still can't quite figure out how to get access to that management interface. Thanks again for your suggestions.

Marvin Rhoads · ‎05-17-2017

It is most likely lack of a route on the ASA whose management interface you are trying to access. In most versions of ASA software (anything prior to 9.6) there is only a single routing table. If you have devices trying to access the management interface from anywhere not directly connected, the ASA will use that global routing table to determine the correct egress interface. It does not allow traffic to ingress on management and egress via a different interface.

Can you share the "show route" output from your ASA whose management interface you are trying to access?

alter-sol · ‎05-18-2017

Gateway of last resort is not set

C 10.10.10.0 255.255.255.0 is directly connected, management
L 10.10.10.10 255.255.255.255 is directly connected, management

Marvin Rhoads · ‎05-18-2017

The ASA would need a route to the 10.10.20.0 subnet where your VPN client's traffic originates from. If there's no other reason that ASA needs to reach that subnet it is fine to just add one thus:

route management 10.10.20.0 255.255.255.0 <gateway address>

If there are other reasons (besides management) why traffic through that ASA may need to reach that subnet then you need a more advanced solution that we can discuss if that is the case.

alter-sol · ‎05-18-2017

I actually tried this already and it didn't work. I'm assuming what they are telling is the gateway of the non-production environment is incorrect because I never been able to web to the interface with that route in place.

Marvin Rhoads · ‎05-18-2017

If you cannot get the routing for the managemnt interface fixed, you will either have to

1. use another interface for management or

2. run ASA 9.5(1) or later with the ability to use a separate management routing table. Reference:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/general/asa-95-general-config/route-overview.html#reference_F02E984EE51F49F5B979DE3ED9239EEE

Enable management port ASA 5525?