10-21-2020 12:54 PM
Hi,
Try to connect in ssh or https to a cisco asa. We need to manage the firewall by the vpn anyconnect. I'm able to connect to any device in the nertwork but not the firewall.
If I try to connect to the management port via vpn I receive this error:
Through-the-device packet to/from management-only network is denied: tcp src outside:x.x.x.x/51689(LOCAL\admin) dst management:x.x.x.x/22
I try to configure an other port for management with management-access mgmt2 and enable ssh and https on this port this is routed to a switch. So I connect to the firewall in vpn then passed throught the device and come back to the firewall. But id didn't work ....
I receive these error... (check all the firewall rule and nating and everything seems ok)
Routing failed to locate next hop for TCP from outside:x.x.x.x/51709 to mgmt2:x.x.x.x/8443
Built inbound TCP connection 33917206 for outside:x.x.x.x/51711 (x.x.x.x/51711)(LOCAL\admin) to mgmt2:x.x.x.x/8443 (x.x.x.x/8443) (admin)
Teardown TCP connection 33917206 for outside:x.x.x.x/51711(LOCAL\admin) to mgmt2:x.x.x.x/8443 duration 0:00:15 bytes 0 No valid adjacency (admin)
Thanks,
10-21-2020 01:09 PM
10-21-2020 01:12 PM
This is already in my configuration:
management-access mgmt2
mgmt2 is an internal interface 10.160.223.250
10-21-2020 02:47 PM
do this
manage-access inside
same-security-traffic permit intra-interface
try this and let me know result.
10-22-2020 04:48 AM
These commands are already there and it's not working
10-21-2020 03:18 PM
What do you mean "...this is routed to a switch..."?
Did you make sure NAT exemption is applied for the traffic between the management interface and AnyConnect clients pool?
10-22-2020 04:57 AM
Yes nat exemptions is there.
I connect in vpn to the public ip . I have multiple interface on the firewall port channel on interface and connected to a swith , for example vlan 500 is outside and vlan 400 mgmt2 that is my "inside interface" this passed through a switch
10-22-2020 05:21 AM
Can you please post the sanitized configs for review?
10-22-2020 05:28 AM
Above two command there, that ok but are you sure managment is point to input not to management interface?
Now use route-lookup in NAT.
10-22-2020 04:57 AM
Things to check:
1. make sure that your anyconnect subnet is included in the ssh and http commands. for example ssh 1.1.1.0 255.255.255.0 mgmt2
2. If you are using split tunneling, make sure that the mgmt2 subnet is included in the split tunnel ACL
3. If you are using vpn filter, make sure there are no vpn filter ACL that are blocking this traffic in your anyconnect configuration
4. make sure that you have a twice NAT / NAT exempt statement for the management traffic
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide