Solved: remote access to manage the firewall not working

choclateer · ‎09-02-2011

I cannot connect ASDM remotely, works fine on the management port. I can't SSH remotely to the ASA either.

I have an L2L IPSEC VPN with a SonicWall working to subnet 192.168.1.0. It connects on the outside interface.

I have SSL AnyConnect VPN working. Remote users connect their browsers to the outside interface, click on AnyConnect and are directed to their subnet by a bookmark.

I can connect to the outside interface with a IPSEC VPN client and then use SSH to manage my switches in the DMZ and the inside.

I can locally manage the firewall by browsing when directly connected to the management interface. (Console works too.)

But I cannot remotely manage the ASA itself! My config is attached. Any help will be appreciated!

mirober2 · ‎09-05-2011

Hello,

Since you have the 'management-access inside' command configured, you'll need to connect to the inside interface IP when accessing the device across a VPN, rather than the outside IP. However, you're also running into the following bug in 8.4(2):

CSCtr16184 - To-the-box traffic fails from hosts over vpn after upgrade to 8.4.2

To fix it, you should add the 'route-lookup' keyword to the end of the following NAT rules (anything that overlaps with your inside interface subnet):

nat (inside,any) source static obj-172.16.0.0 obj-172.16.0.0 destination static 
obj-192.168.1.0 obj-192.168.1.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-172.16.0.0 obj-172.16.0.0 destination static 
obj-172.16.32.0 obj-172.16.32.0 no-proxy-arp route-lookup
nat (inside,any) source static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 destination static obj-192.168.1.0 obj-192.168.1.0 no-proxy-arp route-lookup

Hope that helps.

-Mike

View solution in original post

mirober2 · ‎09-05-2011

Hello,

Since you have the 'management-access inside' command configured, you'll need to connect to the inside interface IP when accessing the device across a VPN, rather than the outside IP. However, you're also running into the following bug in 8.4(2):

CSCtr16184 - To-the-box traffic fails from hosts over vpn after upgrade to 8.4.2

To fix it, you should add the 'route-lookup' keyword to the end of the following NAT rules (anything that overlaps with your inside interface subnet):

nat (inside,any) source static obj-172.16.0.0 obj-172.16.0.0 destination static 
obj-192.168.1.0 obj-192.168.1.0 no-proxy-arp route-lookup
nat (inside,any) source static obj-172.16.0.0 obj-172.16.0.0 destination static 
obj-172.16.32.0 obj-172.16.32.0 no-proxy-arp route-lookup
nat (inside,any) source static DM_INLINE_NETWORK_2 DM_INLINE_NETWORK_2 destination static obj-192.168.1.0 obj-192.168.1.0 no-proxy-arp route-lookup

Hope that helps.

-Mike

choclateer · ‎09-05-2011

thanks for your help!

choclateer · ‎09-05-2011

I do want to remotely administer this ASA. So do I need to change the 'management-access inside' line to say 'outside'? That should give me ASDM access. There's no conflict with all the other VPNs happening at the same time is there?

What about SSH, will it work also?

mirober2 · ‎09-06-2011

You should leave 'management-access inside' enabled for your VPN clients. When you are connected via VPN, you should SSH or ASDM to the inside interface IP. If you are on the Internet and not coming over a tunnel, you should connect to the outside interface IP. Just make sure that you're 'ssh' or 'http' statements allow your source IP address and you should be fine.

-Mike