Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
573
Views
1
Helpful
8
Replies

Cannot ping or manage ASA over SSL VPN

PeteL
Level 1
Level 1

‎01-30-2024 02:40 AM - edited ‎01-30-2024 02:41 AM

Attempting to come in over VPN where I have hairpin NAT enabled to allow outbound access, as well as source NAT for the inside interface for all inbound traffic. This all works and I can access the internet as well as access any internal host, but I can't ping the inside ASA IP or manage it over the Remote VPN.

ip local pool VPN_POOL 192.168.133.5-192.168.133.253 mask 255.255.255.0

interface GigabitEthernet1/1
bridge-group 1
nameif inside_1
security-level 100

interface GigabitEthernet1/7
nameif outside_dhcp
security-level 0
ip address dhcp setroute

interface BVI1
nameif inside
security-level 100
ip address 192.168.33.11 255.255.255.0

object network NET_VPN
subnet 192.168.133.0 255.255.255.0

object-group network Inside
network-object 192.168.33.0 255.255.255.0

access-group global_access global
access-list global_access extended permit ip object NET_VPN any
access-list global_access extended permit icmp any any

nat (any,inside_1) source dynamic NET_VPN interface destination static Inside Inside
nat (any,outside_dhcp) source dynamic NET_VPN interface
!
nat (inside_1,outside_dhcp) after-auto source dynamic Inside interface

http 192.168.33.0 255.255.255.0 inside_1
http 192.168.133.0 255.255.255.0 inside
ssh 192.168.33.0 255.255.255.0 inside_1
ssh 192.168.133.0 255.255.255.0 inside
management-access inside 

This config works perfectly where the only thing that doesn't work is being able to ping the ASA when the VPN tunnel is up, SSH or use ASDM to manage the ASA.

Tried reading various documents on the community as well as turning off management-access and turning it back on agian.

Any suggestions as to what I am missing?

Labels:
0 Helpful
8 Replies 8

PeteL
Level 1
Level 1
In response to MHM Cisco World

‎01-30-2024 01:08 PM

Hi, I tried adding ManagementTunnelAllAllowedand setClient Bypass Protocol but am still unable to ping/SSH/ASDM to the ASA when I come in over Remote SSL VPN.

MHM Cisco World
VIP
VIP
In response to PeteL

‎01-30-2024 01:12 PM

ssh <vpn pool IP> outside <<- can you add this and check SSH from Anyconnect to ASA 
ssh <vpn pool IP> mgmt   <<- can you add this and check SSH from Anyconnect to ASA 

MHM

0 Helpful

PeteL
Level 1
Level 1
In response to MHM Cisco World

‎01-30-2024 01:17 PM

Sorry I should have included that I have already tried adding that.

http 192.168.1.0 255.255.255.0 mgmt
http 192.168.33.0 255.255.255.0 inside
http 192.168.133.0 255.255.255.0 inside
http 192.168.133.0 255.255.255.0 outside_dhcp
http 192.168.133.0 255.255.255.0 mgmt
ssh 192.168.33.0 255.255.255.0 inside
ssh 192.168.133.0 255.255.255.0 inside
ssh 192.168.133.0 255.255.255.0 outside_dhcp
ssh 192.168.1.0 255.255.255.0 mgmt
ssh 192.168.133.0 255.255.255.0 mgmt

I think I am missing something very simple, and I think it's related to the NAT rule, but even without the NAT rule that means I can no longer access the internet when tunnelling all traffic and can access all internal hosts but can't ping/SSH/ASDM the ASA itself.

0 Helpful

MHM Cisco World
VIP
VIP
In response to PeteL

‎01-30-2024 01:44 PM

Normally we add no-NAT for anyconnect this prevents anyconnect from dynamic NAT overload when pass OUTside of asa.

So I think you add no-NAT.

Also can you ping mgmt interface not BVI interface.

MHM

0 Helpful

tvotna
Spotlight
Spotlight

‎01-30-2024 06:45 AM

First, I'm confused by your config. How do you use inside_1 in NAT config if this interface is a bridge-group member and not assigned IP address?

Second, what's the version? There was a bug for bvi interfaces: CSCvw83572

 

0 Helpful

PeteL
Level 1
Level 1
In response to tvotna

‎01-30-2024 01:11 PM

I am running 9.20.2, but have tried a similar config on 9.16.4(48) and 9.18.3(56) without success.

Removed the BVI1 and reconfigured the inside IP to GE1/1 and am still not able to ping/SSH/ASDM to the ASA over Remote SSL VPN. Can ping all other hosts on 192.168.33.0/24 and other internal routes, and am able to access the internet.

In theory I should only need management-access inside but that doesn't work either.

0 Helpful

PeteL
Level 1
Level 1

‎01-30-2024 12:53 PM - edited ‎01-30-2024 12:53 PM

What I am trying to achieve is being able to manage / configure the ASA itself with SSH and ASDM over a Remote SSL VPN so I can remotely change the configuration. The config I have is:

interface GigabitEthernet1/1 - nameif inside and 192.168.33.11/24
interface Management1/1 - nameif mgmt and 192.168.1.1/24
ip local pool VPN_POOL 192.168.133.5-192.168.133.253 mask 255.255.255.0
interface GigabitEthernet1/7 - nameif outside_dhcp

Another device connected to GE1/1 with 192.168.33.1

If I plug into either GE1/1 or Management and configure my machine with the correct IP I can ping & configure the ASA.

If I come in remotely over SSL VPN with AnyConnect and the Group policy is tunnel all traffic I can access both my internal services of 192.168.33.1 and connect out to the internet and I will appear as the office IP rather than my home IP.

However I am unable to ping or ssh or https to manage the ASA on 192.168.33.11 when I come in over the SSL VPN.

Removing the BVI and reconfiguring GE1/1 as inside and re-adding everything still has not fixed the problem. Config snippet below. 

 

ip local pool VPN_POOL 192.168.133.5-192.168.133.253 mask 255.255.255.0

!
interface GigabitEthernet1/1
nameif inside
security-level 100
ip address 192.168.33.11 255.255.255.0

object network NET_VPN
 subnet 192.168.133.0 255.255.255.0
object network Office
 subnet 192.168.33.0 255.255.255.0
object network ASA
 host 192.168.33.11
object-group network OfficeIPs
 network-object object Office
 network-object object NET_VPN
object-group network Inside
 network-object 192.168.1.0 255.255.255.0
 network-object 192.168.33.0 255.255.255.0
access-group global_access global
access-list global_access extended permit ip object NET_VPN any
access-list global_access extended permit icmp any any
access-list SPLIT_TUNNEL extended permit ip object-group OfficeIPs any

nat (any,inside) source static NET_VPN NET_VPN destination static Inside Inside no-proxy-arp
nat (any,outside_dhcp) source dynamic OfficeIPs interface
!
nat (inside,outside_dhcp) after-auto source dynamic Inside interface inactive

http 192.168.33.0 255.255.255.0 inside
http 192.168.133.0 255.255.255.0 inside
http 192.168.133.0 255.255.255.0 outside_dhcp

ssh 192.168.33.0 255.255.255.0 inside
ssh 192.168.133.0 255.255.255.0 inside
ssh 192.168.133.0 255.255.255.0 outside_dhcp
management-access inside

I have tried the above link https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/215442-configure-anyconnect-management-vpn-tunn.html to add Client Bypass Protocoland ManagementTunnelAllAllowedand neither allows me to ping/SSH/ASDM onto the ASA over the Remote VPN.

Currently running 9.20.2 but I have had the same problem on 9.16.4(48) or 9.18.3(56) so I think it must be an obvious setting I am missing either an ACL or NAT translation that makes SSH/ASDM management possible over a Remote VPN. 

0 Helpful
Customers Also Viewed These Support Documents