management-access inside without IPSec

2phase1081 · ‎01-11-2014

hi community!

i have an ASA with 9.1(1) which is accessed on its inside interface (from outside) via "management-access inside" command. after upgrade to 9.1(3) this stops working.

ADMIN outside ASA inside

interface ___ interface

172.16.1.5 10.1.1.1 |___| 192.168.1.1

SSH/ASDM from 172.16.1.5 to 192.168.1.1

there is no IPSec configured, just plain routing. is it a bug in 9.1(3) version or is it feature that management-access inside is not working anymore?

thanks and best regards

mario

Jouni Forss · ‎01-12-2014

Hi,

To my understanding you should never be able to connect to the ASA interface behind another interface unless VPN connection and "management-access" command are involved.

I do remember one other thread where the user said that this was done.

But this is something that should not work so I am not sure why it has worked for you. I wouldn't expect that you can get it working as is not something that supposed to be supported. I am not sure what kind of configuration you have used if this has worked in the first place.

Then again, I am wondering why you are not using the external interface directly to connect to the ASA rathter than connecting to some other interface? I mean there must be some NAT involved if this device is on the edge of public/private networks?

- Jouni

2phase1081 · ‎01-16-2014

hi,

thanks for your reply.

behind that firewall there are serveral other firewalls all connected with each other via one single /24 transit network. the idea was to access all firewalls via their addresses in this transit network (naming conventions...). this was done because it worked with management-access inside at 9.1(1) with no issues.

now i want to find out why it doesn't after upgrading to 9.1(3) with no config change. is the bug in 9.1(1) or in 9.1(3)?

mario