cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
876
Views
0
Helpful
2
Replies

ASA5510 blocking vpn traffic states internal devices are on Mgmt Network

erikjbrown
Level 1
Level 1

Just switched over from an ASA5505 to the ASA 5510 today and in the process of setting up the Remote Access VPN connection.  Ran the wizard using asdm and setup the vpn - worked like a charm, installed a few programs remotely and all was well.

Well i went into the Interfaces menu(ASDM) and selected "Enable traffic between two or more interfaces which are configured with same security levels"

After that point, all vpn connections cannot connect to any internal machines - firewall log says:

Through the device packet to/from management network is denied; icmp src management:192.168.1.65 dst outside:192.168.ff1.175(type0, code0)  the 175 is the vpn computer connected.

Problem is 192.168.1.65 is on the internal network not the management network so why does it apply the management acl? 

I've gone back and disabled traffic between like security level interfaces and still no go.   Thinks all internals are on management interface and i can't figure it out.

All other communications are fine at this point - just the vpn clients get this message.

Thanks in advance,

E B

2 Replies 2

Hi,

Seems something got messed-up in the configuration.

Can you post the relevant part of your configuration?

Federico.

Well I did eventually figure out a way around this.

We were using an ip address pool in the same subnet as our internal network - this was a problem.

I created a new vlan for the vpn - setup split tunneling on the connection to expose our internal network to that vlan and all is working fine now.

Cisco Newb

E B