Hi,

I have followed this guide, and done most of it, but still can't get it work or any idea of might I am missing.

@gal.avichid if you want to manage the ASA over the VPN have you configured management-access <interface> ? https://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/access_management.pdf

You also need to ensure you permit HTTP/SSH from the IP pool network:-

ssh <ip pool network> <netmask> <interface>
http <ip pool network> <netmask> <interface>

Hi @Rob Ingram 

Both of the configurations are made, still can't connect via the VPN.

I do can access via one of the environment with the tunnel.

I have one interface in the main ASA (outside) which I allowed the management-access to that interface and add the pool ip.

I feel my main issue is when im trying to reach the main ASA with its static IP, its going via my public IP and not via the pool-ip i get in the VPN.

---

@gal.avichid wrote:

Hi @Rob Ingram 

I feel my main issue is when im trying to reach the main ASA with its static IP, its going via my public IP and not via the pool-ip i get in the VPN.

---

@gal.avichid sounds like you may need to create a NAT exemption rule then, to ensure that traffic is not translated.

nat (outside,outside) source static POOL POOL destination static REMOTE REMOTE

If you still have a problem, you may want to run packet-tracer from the CLI and provide the output.

can I see the final config ?
thanks 
MHM

are sure this config is complete there is many commands missing for anyconnect 

@gal.avichid What is the ASA version ? 
With the above NAT statement configured on Firewall, are you still unable to ping/ASDM/SSH the outside ip address of FW via RA-VPN ? Does Network object " OBJ_vpn_poo_ip" contains 10.78.0.0/24 subnet ? 

Please share below output here 
ciscoasa# show vpn-sessiondb anyconnect filter name < username > 
ciscoasa# packet-tracer input outside icmp < anyconnectip > 8 0 <outsideip> detailed 

Hi Salman

ASA Version: 9.8(2)

OBJ_vpn_pool_ip = 10.78.0.0/24

When I am connected to the VPN from my laptop, and ping the IP of the VPN (Which is the remote-ip) I can still see the ICMP from my local internet IP (77.251.*.*). I guess there is something wrong with the translation? therefore when I set SSH connection via 10.78.*.* its not accepting as the ASA receiving the request from 77.251.*.*

Here is the outputs:

Result of the command: "show vpn-sessiondb anyconnect filter name GAL"

Session Type: AnyConnect

Username : GAL Index : 63914
Assigned IP : 10.78.0.2 Public IP : 77.251.*.*
Protocol : AnyConnect-Parent SSL-Tunnel DTLS-Tunnel
License : AnyConnect Premium
Encryption : AnyConnect-Parent: (1)none SSL-Tunnel: (1)AES-GCM-256 DTLS-Tunnel: (1)AES256
Hashing : AnyConnect-Parent: (1)none SSL-Tunnel: (1)SHA384 DTLS-Tunnel: (1)SHA1
Bytes Tx : 52258 Bytes Rx : 74324
Group Policy : GroupPolicy_VPN
Tunnel Group : VPN
Login Time : 19:05:34 CEDT Fri Apr 28 2023
Duration : 0h:01m:41s
Inactivity : 0h:00m:00s
VLAN Mapping : N/A VLAN : none
Audt Sess ID : 9d6177120f9aa000644bfcde
Security Grp : none

Result of the command: "packet-tracer input outside icmp REMOTE-IP 8 0 REMOTE-IP detailed"

Phase: 1
Type: ROUTE-LOOKUP
Subtype: Resolve Egress Interface
Result: ALLOW
Config:
Additional Information:
found next-hop REMOTE-IP using egress ifc identity

Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: NP Identity Ifc
Action: drop
Drop-reason: (sp-security-failed) Slowpath security checks failed

Friend yoh access via anyconnect and success'

Now you want to ssh to asa through anyconnect so what you need is 

Ssh 0.0.0.0 0.0.0.0 mgmt 

!

Management access

Outside 

This will make you ssh to mgmt interface through anyconnect vpn.

You can not ssh to outside since the anyconnect is end in this interface.