08-15-2016 11:58 PM - edited 03-12-2019 01:07 AM
Hi Guys,
Cisco ASA 9.1
Have created a new vpn tunnel solely for management purposes of network devices. there are 3 interfaces on the ASA
outside
Inside
Management
there are devices that connect off the Inside Interface and I can connect to them just fine.
I canot however connect to the ASA itself on the management interface or another device which is on the management interface (same subnet)
The SA shows packets are being decrypted, however packet capture on the management interface shows no traffic leaving the interface.
I am aware of the "route lookup" command, however I am not running any nat on the firewall, i even tried adding a no nat anyway but it did not make a difference.
Here is config snippet:
ssh 192.168.1.0 255.255.255.0 management
management-access management
interface Management0/0
speed 100
duplex full
management-only
nameif management
security-level 100
ip address 10.0.0.1 255.255.255.0
There is no acl on the outside interface or management interface
As I say the access to the Inside network works fine, I suspect, is it possible "management-only" command will not route traffic out? I have never used this command before so I am not sure what it does and it seems to affect access to devices via this interface.
Solved! Go to Solution.
08-17-2016 04:23 AM
Please rate helpful posts and mark correct answers.
08-17-2016 04:23 AM
Please rate helpful posts and mark correct answers.
08-17-2016 03:17 PM
Thanks yep I ended up using the Inside interface on the asa to pass the traffic through and that worked fine.
For anyone else reading this, the management-only command will indeed allow you to connect to it directly, but it will not allow transient traffic through.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide