Solved: Remote Management Access through VPN on ASA 5505

Marcel Verbruggen - Pennings · ‎05-22-2012

Hi,

I have a remote ASA5505 running 8.4(3) with a working site 2 site VPN tunnel to my main office. (The main office is running an ASA 5510 with OS 8.4.3 as well). The encryption domain is all private IP on main site vs. 172.16.10.0/23 on remote site.

Relevant config of the remote ASA:

interface Vlan1
 nameif inside
 security-level 100
 ip address 172.16.10.254 255.255.254.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address x.x.x.x 255.255.255.248

aaa-server management protocol tacacs+
 accounting-mode simultaneous
aaa-server management (inside) host 172.17.0.31
 key *****
aaa-server management (inside) host 172.17.0.32
 key *****


ssh 0.0.0.0 0.0.0.0 inside

ssh x.x.x.x y.y.y.y outside (our main site's public IP)
http server enable
http 0.0.0.0 0.0.0.0 inside
http x.x.x.x y.y.y.y outside (our main site's public IP)

management-access inside

The VPN tunnel is working perfectly and I can ping devices in the 172.16.10.0/23 local subnet through it from my management station.

I however cannot manage or ping the ASA through the VPN tunnel on the inside interface from my management station.

When I try this, the syslog on the ASA shows the incoming management connection (either port 443 for ASDM or port 22 for SSH) from my management station's IP to the inside IP of the ASA (all VPN tunnel traffic is exempted from NAT) and after 30 seconds, the syslog shows a SYN timeout. For some reason it looks like the ASA is not responding on its inside interface.

I can manage the ASA on the outside interface (outside of the site 2 site VPN) using the TACACS credentials

I can also ping my management station from the ASA using the inside interface, but as stated, the other way around does not work.

I have not yet tested if management from the local 172.16.10.0/23 subnet works, but I will try this next.

Kevin P Sheahan · ‎05-22-2012

Add the route-lookup command at the end of your nat statement for the VPN connection.

Kind Regards,

Kevin

**Please remember to rate helpful posts as well as mark the question as 'answered' once your issue is resolved. This will help others to find your solution faster.

Kind Regards, Kevin Sheahan, CCIE # 41349

View solution in original post

Kevin P Sheahan · ‎05-22-2012

Add the route-lookup command at the end of your nat statement for the VPN connection.

Kind Regards,

Kevin

**Please remember to rate helpful posts as well as mark the question as 'answered' once your issue is resolved. This will help others to find your solution faster.

Kind Regards, Kevin Sheahan, CCIE # 41349

Marcel Verbruggen - Pennings · ‎05-22-2012

This indeed fixed the problem. Thank you very much.

Is this a new feature in the 8.4(3) release?

I have firewalls running 8.4(1) where this addition does not seem to be needed.

Edit: Found my own answer in this post:

http://packetpushers.net/understanding-when-a-cisco-asa-nat-rule-can-override-the-asa-routing-table/

Kevin P Sheahan · ‎05-22-2012

Always happy to help, and I'm glad that you've found that link.. it is very informative.

Kind Regards,

Kevin

**Please remember to rate helpful posts as well as mark the question as 'answered' once your issue is resolved. This will help others to find your solution faster.

Kind Regards, Kevin Sheahan, CCIE # 41349

Marcel Verbruggen - Pennings · ‎05-23-2012

I still had a question remaining when completely reading through that blog post:

- If I would have had an additional network on my remote site (added to the VPN tunnel and to the NAT rule) that was not directly attached to the ASA's inside.

Would this mean that none of the hosts on that network would have been reachable through the tunnel without the route-lookup directive? Since the ASA does not do a route lookup, it would not know the router where this traffic needs to be send, right?

In other words: does the ASA basically spit out the packet on L2 on the interface described in the Identity NAT rule (apparently without even checking if the traffic is destined for that interface itself)?

bo.systemhouse · ‎06-27-2012

>Add the route-lookup command at the end of your nat statement for the VPN connection.

How do one "Add the route-lookup command at the end" using ASDM ?

I see the NAT roule create by the "AnyConnect VPN Wizard".

I'm new to the 5505 and Cisco and has the exact same problem, with not being able to manage the 5505 connected through a VPN-tunnel from a remote PC with the AnyConnect VPN Client (no split tunneling). I also can't get traffic through the 5505 to the outside as when physically located behing the 5505.

The version numbers are: ASDM 6.4(9) - ASA 8.4(4)1

/Bo

kraghupati · ‎07-09-2013

when u edit any of the nat rules from asdm, click on the option "Lookup route table to locate egress interface"

Adrian Totilaz · ‎11-20-2014

thank you, had the same issue.

tnguyen5@dart.org · ‎06-28-2018

Thank you so much. This helps me too.

-tn

DOUG HAYES · ‎08-14-2018

Thanks. The tip to add the route-lookup on the NAT rule to access the inside interface is not intuitive and is very hard to find on the Internet.

Firepowered · ‎10-22-2019

Just came to say, thank you.

Peter Long · ‎08-12-2014

Brilliant Thankyou, I had this problem this week as well

Cisco ASA 5500 - Remote Management via VPN

Pete

silric26227 · ‎07-06-2021

Same issue, no Identity NAT (due to network overlap) so I cant route-lookup. All the IPs in the LAN behind inside works, just the IP of the interface doesn't. Any idea?