Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2210
Views
8
Helpful
27
Replies

Connecting to ASA Management (ASDM\SSH) via VPN

gal.avichid
Level 1
Level 1

‎04-19-2023 03:30 PM

Hey,

I have set multi tunnels between few ASA's + Anyconnect VPN gateway on the 'main' ASA with public IP (lets say 150.1.0.1)

I can communicate between the remote locations, connect to the VPN via my laptop, and communicate with all locations.

I would like to access the management (ASDM\SSH) via my laptop when connected to the VPN.

I have set the static IP in the ACL of the GroupPolicy. Created rule for SSH+HTTPS connection via the pool IP set in the VPN (lets say 10.22.0.0/24)

I can confirm the VPN is routing the static IP address, but no success when trying to login via SSH\HTTPS.

I tried to ping the static IP via my laptop, and I can see in the syslog the ICMP is from my ISP IP address and not the VPN address.

Any suggestion what else I could have missed?

*I can login to SSH+HTTPS via one of my remote locations, (via the tunnel) 

Thank you

Labels:
0 Helpful
27 Replies 27

gal.avichid
Level 1
Level 1
In response to MHM Cisco World

‎04-29-2023 10:32 AM

That will be too open to allow SSH from all ip's.

There is other solution I can use to allow SSH access via the VPN? for the user's which are connected to the VPN.

Thanks 

MHM Cisco World
VIP
VIP
In response to gal.avichid

‎04-29-2023 10:36 AM

Instead of ssh 0.0.0.0 use 

Ssh <vpn pool> 

Check this.

Also you can add vpn-filter permit/deny specific ip to access mgmt ip

0 Helpful

gal.avichid
Level 1
Level 1
In response to MHM Cisco World

‎04-29-2023 10:41 AM

Its what I did. but somehow when I set it like that, I can't connect. only if I keep it on 0.0.0.0.

How can I add the VPN-filter?

gal.avichid
Level 1
Level 1

‎04-30-2023 11:55 AM

I have tried adding the filter, but still I get no access when trying to access via the anyconnect VPN.

I guess as @Rob Ingram mentioned, I am trying to achieve something that is not possible?

There is maybe another way to do that?

Maybe set another interface and allow the access via this interface via the VPN?

0 Helpful

MHM Cisco World
VIP
VIP
In response to gal.avichid

‎04-30-2023 12:31 PM - edited ‎04-30-2023 12:46 PM

You mention before you can access with ssh 0.0.0.0 ??

https://howdoesinternetwork.com/2016/asa-packet-processing

 

0 Helpful

Salman Mahajan
Cisco Employee
Cisco Employee
In response to MHM Cisco World

‎04-30-2023 01:40 PM

@MHM Cisco World  He is able to access with SSH 0.0.0.0 , thats because in both case with or without vpn , the traffic is going via PC's local internet only and not through Anyconnect . 

 

MHM Cisco World
VIP
VIP
In response to Salman Mahajan

‎04-30-2023 01:46 PM

He ssh using public IP' the traffic hit outside and drop' so he use vpn anyconnect that why he can bypass outside low security level access to high security level.

The vpn can bypass the allow all traffic.

So sure he use vpn to ssh to asa.

0 Helpful

Salman Mahajan
Cisco Employee
Cisco Employee
In response to MHM Cisco World

‎04-30-2023 01:54 PM

I bet SSH traffic is not going via Anyconnect in anycase . It would have otherwise worked when CLI is SSH 10.22.0.0 255.255.255.0 outside . 

At first he has to add Outside Ip in SPLIT ACL so that it appears in " Secure Routes " of Anyconnect for it to send it via tunnel ( i am assuming he has ) . Even with that , the route on PC for ASA outside ip will have next hop as Local Gateway and not Anyconnect Gateway ip - which is due to Outside IP address being the terminating IP for Anyconnect . 

MHM Cisco World
VIP
VIP
In response to Salman Mahajan

‎04-30-2023 02:03 PM

SORRY  maybe I am not clear 

I MEAN by ssh 0.0.0.0 is 

Ssh 0.0.0.0 0.0.0.0 (mgmt or IN)

Please @gal.avichid please confirm that you not use OUT as interface for SSH

Salman Mahajan
Cisco Employee
Cisco Employee
In response to MHM Cisco World

‎04-30-2023 02:05 PM

It should work via Anyconnect with SSH 0.0.0.0 ( any interface but not OUT ) . 

0 Helpful

Salman Mahajan
Cisco Employee
Cisco Employee
In response to gal.avichid

‎04-30-2023 01:37 PM

Hi @gal.avichid , 

Management/SSH access to Outside interface via RA-VPN will not work if RA-VPN terminating interface is the same as management .  I suggest to set another interface for the same . It is expected to work when CLI  " SSH 0.0.0.0 0.0.0.0 outside " .

Please feel free to ask if you still have any query on the same 

Kindly mark my response as Helpful if it helps your issue ! 

0 Helpful

gal.avichid
Level 1
Level 1
In response to Salman Mahajan

‎05-17-2023 01:11 PM

Hi @Salman Mahajan 
I am not sure what you meant? The idea is to set another interface and allow SSH via this interface?

Where this ASA is connected there is only internet connection, no any computer\network or any devices besides of the ASA.

0 Helpful
Customers Also Viewed These Support Documents