Thanks in advance,

Sir below is the topology attached. Here windows PC is connected over an SSL VPN with the ASA, But it cannot ssh the ASA.(specifically when I ssh the IP 192.168.101.1 , it is not working).

although it can access( telnet, ssh, HTTP ...) the server(R2 as server).

Kindly bear with me, I am a fresher student.

Ok, but did you enter the command I provided?

You may want to amend your configuration as you are currently permitting access from 1 IP address, change to a subnet. e.g. - ssh 172.16.1.0 255.255.255.0 outside

hi,

Yes sir, I have entered, even with a wider range of subnet( entire pool range).

By the way below are all the configurations of my ASA.

I just omitted some of nonuse config-Infos

ASA# show run
: Saved

:
ASA Version 9.6(3)1
!
hostname ASA
domain-name cisco.com
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names

ip local pool admin 172.16.1.10-172.16.20.100

!
interface GigabitEthernet0/0
nameif inside
security-level 100
ip address 192.168.101.1 255.255.255.0
!
interface GigabitEthernet0/1
nameif outside
security-level 0
ip address 101.1.1.100 255.255.255.0

!
interface Management0/0
management-only
shutdown
no nameif
no security-level
no ip address

domain-name cisco.com
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

object network vpn_pool_ip
range 172.16.1.10 172.16.20.10
object network inside
subnet 192.168.101.0 255.255.255.0

access-list stacl standard permit 172.16.0.0 255.255.0.0
access-list stacl standard permit 192.168.101.0 255.255.255.0

nat (outside,any) source static vpn_pool_ip vpn_pool_ip destination static inside inside no-proxy-arp route-lookup

router eigrp 100
network 192.168.101.0 255.255.255.0
redistribute static metric 1 1 1 1 1
!
route outside 0.0.0.0 0.0.0.0 101.1.1.1 1

user-identity default-domain LOCAL
aaa authentication ssh console LOCAL

telnet timeout 5
ssh stricthostkeycheck
ssh 172.16.0.0 255.255.0.0 outside
ssh timeout 5
ssh key-exchange group dh-group1-sha1

webvpn
enable outside
anyconnect image disk0:/anyconnect-win-4.2.02075-k9.pkg 1
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable

group-policy admin internal
group-policy admin attributes
vpn-tunnel-protocol ssl-client ssl-clientless
split-tunnel-policy tunnelspecified
split-tunnel-network-list value stacl
webvpn
anyconnect keep-installer installed
anyconnect ask enable
dynamic-access-policy-record DfltAccessPolicy

username cisco password 3USUcOPFUiMCO4Jk encrypted privilege 15

tunnel-group admin_group type remote-access
tunnel-group admin_group general-attributes
address-pool admin
default-group-policy admin
tunnel-group admin_group webvpn-attributes
group-alias ADMIN_GROUP enable
!

!
!

!
service-policy global_policy global

: end

My windows client has got Ip of 172.16.1.10 pushed by ASA from the pool, and since access-list "stacl" is used for splitting the tunnel, so it has reachability to the internet too.

Thank you Rob Ingram.

By the way, Sorry for that, but I configured the same command also but it didn't work. ( just to try both, first I put the "management-access inside" my putty software prompted -> network error: software caused connection abort.

and when I removed it and tried for "management-access outside" putty prompted -> network error: connection timed out).

Thanks for your bear sir.

Sir this is a log message for your reference

%ASA-6-302013: Built inbound TCP connection 39 for outside:172.16.1.10/49188 (172.16.1.10/49188)(LOCAL\cisco) to identity:192.168.101.1/22 (192.168.101.1/22) (cisco)
%ASA-6-302014: Teardown TCP connection 39 for outside:172.16.1.10/49188(LOCAL\cisco) to identity:192.168.101.1/22 duration 0:00:00 bytes 0 Flow terminated by TCP Intercept (cisco)
%ASA-6-302013: Built inbound TCP connection 40 for outside:172.16.1.10/49188 (172.16.1.10/49188)(LOCAL\cisco) to identity:192.168.101.1/22 (192.168.101.1/22) (cisco)
%ASA-6-302014: Teardown TCP connection 40 for outside:172.16.1.10/49188(LOCAL\cisco) to identity:192.168.101.1/22 duration 0:00:00 bytes 0 TCP Reset by appliance (cisco)

Hello Rob,

Sorry for replying to this thread in 2022. 

I have a firepower device and I want to achieve the same here, to be able to manage the firepower over a remote vpn connection.

Tried to use the management-access <interface> command, but it shows as 'blacklisted'.

So is there any other way to achieve this?

Please help.

@engineer467 the "management-access <interface>" command was blacklisted in flexconfig until about version 6.5 or 6.6 (from memory), so you may need to upgrade if running and old version.

Thank you for the quick reply.

The version running on it is 6.4.

So gotta upgrade it now.