Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1118
Views
20
Helpful
8
Replies

Unable to SSH/TELNET/HTTPS to Management interface from outside network

shaikk.mydeen
Level 1
Level 1

‎05-05-2018 10:56 PM - last edited on ‎02-21-2020 11:35 PM by Community Manager

I have a ASA 5585 with single slot (No IPS), Simple network, ASA Outside interface connected to Internet /Wan and Inside interface to LAN , ASA Management 0/0 is connected to LAN Access switch Management VLAN. 

 

I have allowed any any policy for management interface. 

 

Able to access the Inside Management VLAN segment from outside network except the ASA Management. 

 

In the ASA specifically mentioned external segment IP for ssh, telnet and HTTPS access

ssh 10.51.x.x 255.255.X.X management

telnet 10.51.x.x 255.255.X.X management

https 10.51.x.x 255.255.X.X management

Labels:
Preview file
29 KB
0 Helpful
8 Replies 8

Marius Gunnerud
VIP
VIP

‎05-06-2018 12:24 AM

It looks as though you are trying to access the management interface from the 10.51.x.x network on the Internet/WAN. This will never work as the ASA does not allow traffic to an interface on the ASA that is not the ingress interface.  So to access the mgmt0/0 for administrative purposes you will either need to access it from a device on the 10.55.10.x/24 network, or that the traffic is routed via the switch and then to the mgmt0/0 interface.  To access the mgmt0/0 from the internet you would need to set up a RA VPN, add the command management-access management (replace management with the name you have given the interface).  You would also need to add the command ssh x.x.x.x y.y.y.y management to allow traffic from the VPN IP pool.

 

Keep in mind that interface access lists such as the any any you added to management interface does not affect "to the box" management traffic.  This access list only affects traffic passing through the ASA.

--
Please remember to select a correct answer and rate helpful posts

shaikk.mydeen
Level 1
Level 1
In response to Marius Gunnerud

‎05-06-2018 02:41 AM

Thanks Marius,

As you stated "that the traffic is routed via the switch and then to the mgmt0/0 interface" what kind of route should be done? Since when I tried to add the default gateway for the ASA Mgmt0/0 to the L3 Management VLAN Interface of Switch, It didnt worked. 

 

Thanks

Sheik Mytheen M

0 Helpful

shaikk.mydeen
Level 1
Level 1
In response to shaikk.mydeen

‎05-06-2018 03:54 AM

Addition to it... 

 

Please find the routes

 

route outside 0.0.0.0 0.0.0.0 <default gate connected to outside interface>
route inside 10.55.0.0 255.255.0.0 10.55.1.2 (connected to inside interface)

 

as management is directly connected , route addition doesn't affect the packet flow.


My aim is with the current setup need to access the management from outside network.

0 Helpful

Marius Gunnerud
VIP
VIP
In response to shaikk.mydeen

‎05-06-2018 04:16 AM

Adding a route to the for management network that points to the inside interface is pointless.  A directly connected interface will always be prefered over a route, even if you set the administrative distance to 1.

 

It really depends what you are trying to access on the management interface.  If you are trying to manage the ASA via the mgmt interface from the outside network, then you must use a VPN, there really is no other way around this.  On the other hand, if you have a jumpstation server on the inside network, you could set up a NAT in the ASA that goes to this jump on port tcp/3389 and then RDP to that server and then manage the ASA from that server.

--
Please remember to select a correct answer and rate helpful posts

Dennis Mink
VIP Alumni
VIP Alumni

‎05-06-2018 04:11 AM - edited ‎05-06-2018 04:13 AM

did you add a route management 0.0.0.0 0.0.0.0 10.51.10,x  ?so it has a way back to a non direct connected subnet?

Please remember to rate useful posts, by clicking on the stars below.

shaikk.mydeen
Level 1
Level 1
In response to Dennis Mink

‎05-06-2018 10:18 PM

route outside 0.0.0.0 0.0.0.0 (Outside interface connected IP) is configured. Configuring the same for the management interface is not allowed, i.e

 

(conf)#route management 0.0.0.0 0.0.0.0 (Outside interface connected IP) 

Error: cannot add route entry, conflict with existing routes 

0 Helpful

Marius Gunnerud
VIP
VIP
In response to shaikk.mydeen

‎05-06-2018 10:26 PM

Yes this is correct.  And if you apply a more general route (ex. /16) and change the administrative distance, the connected route will still be preferred.

I have provided you with the options to connect to the ASA management interface from the outside network already.  Again, they are connect over an RA VPN (AnyConnect) or setup a jumpstation on your inside network.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

sachin garg
Level 1
Level 1
In response to Marius Gunnerud

‎02-06-2025 08:48 PM

IS this still same logic in latest OS versions?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card