Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1566
Views
5
Helpful
9
Replies

How to manage (ssh/https) a cisco asa fom vpn anyconnect

schnap
Level 1
Level 1

‎10-21-2020 12:54 PM

Hi, 

Try to connect in ssh or https to a cisco asa. We need to manage the firewall by the vpn anyconnect. I'm able to connect to any device in the nertwork but not the firewall. 

 

If I try to connect to the management port via vpn I receive this error: 

Through-the-device packet to/from management-only network is denied: tcp src outside:x.x.x.x/51689(LOCAL\admin) dst management:x.x.x.x/22

 

I try to configure an other port for management with management-access mgmt2 and enable ssh and https on this port this is routed to a switch. So I connect to the firewall in vpn then passed throught the device and come back to the firewall. But id didn't work .... 

I receive these error... (check all the firewall rule and nating and everything seems ok) 

Routing failed to locate next hop for TCP from outside:x.x.x.x/51709 to mgmt2:x.x.x.x/8443

Built inbound TCP connection 33917206 for outside:x.x.x.x/51711 (x.x.x.x/51711)(LOCAL\admin) to mgmt2:x.x.x.x/8443 (x.x.x.x/8443) (admin)

Teardown TCP connection 33917206 for outside:x.x.x.x/51711(LOCAL\admin) to mgmt2:x.x.x.x/8443 duration 0:00:15 bytes 0 No valid adjacency (admin)

 

Thanks,

 

 

 

0 Helpful
9 Replies 9

Rob Ingram
VIP
VIP

‎10-21-2020 01:09 PM

Hi @schnap 

You will need to configure the command management-access interface-name

 

Reference here:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/general/asa-98-general-config/admin-management.html

0 Helpful

schnap
Level 1
Level 1
In response to Rob Ingram

‎10-21-2020 01:12 PM

This is already in my configuration: 

 

management-access mgmt2

 

mgmt2 is an internal interface 10.160.223.250

 

 

0 Helpful

MHM Cisco World
VIP
VIP

‎10-21-2020 02:47 PM

do this 

manage-access inside

same-security-traffic permit intra-interface

try this and let me know result.

 

0 Helpful

schnap
Level 1
Level 1
In response to MHM Cisco World

‎10-22-2020 04:48 AM

These commands are already there and it's not working 

0 Helpful

EU UC Support
Level 4
Level 4

‎10-21-2020 03:18 PM

What do you mean "...this is routed to a switch..."?

Did you make sure NAT exemption is applied for the traffic between the management interface and AnyConnect clients pool?

schnap
Level 1
Level 1
In response to EU UC Support

‎10-22-2020 04:57 AM

Yes nat exemptions is there. 

I connect in vpn to the public ip . I have multiple interface on the firewall port channel on interface and connected to a swith , for example vlan 500 is outside and vlan 400 mgmt2 that is my "inside interface" this passed through a switch 

0 Helpful

Aref Alsouqi
VIP
VIP
In response to schnap

‎10-22-2020 05:21 AM

Can you please post the sanitized configs for review?

0 Helpful

MHM Cisco World
VIP
VIP
In response to schnap

‎10-22-2020 05:28 AM

Above two command there, that ok but are you sure managment is point to input not to management interface?

 

Now use route-lookup in NAT.

 

0 Helpful

Marius Gunnerud
VIP
VIP

‎10-22-2020 04:57 AM

Things to check:

1. make sure that your anyconnect subnet is included in the ssh and http commands.  for example ssh 1.1.1.0 255.255.255.0 mgmt2

2. If you are using split tunneling, make sure that the mgmt2 subnet is included in the split tunnel ACL

3. If you are using vpn filter, make sure there are no vpn filter ACL that are blocking this traffic in your anyconnect configuration

4. make sure that you have a twice NAT / NAT exempt statement for the management traffic

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card