04-16-2020 02:44 AM
Need help from expert like you:-
-------------------------------
Laptop -->( Internet Cloud)---> ASA Firewall ---> LAN
Anyconnect profile configured on ASA FW with Tunnelspecified for Split-tunnel profile.
After Laptop got connected to Anyconnect VPN, private IP range has been allocated for VPN purpose.
wanted to SSH into same ASA Firewall over anyconnect VPN, is there any solution to achieve it.
(1) Dont want to permit SSH outside for all public IP ranges
(2) SSH inside <IP pool of Anyconnect>not working because of routing
Thank you in advance
Solved! Go to Solution.
04-16-2020 04:37 AM - edited 04-16-2020 04:38 AM
No, when you configure that command it does not disable the other commands.
You can still manage the ASA as before.
04-16-2020 03:01 AM
Hi,
To manage the ASA via SSH/ASDM over a VPN tunnel (either AnyConnect or a Site-to-Site VPN) you need to configure the command management-access <interface-name>.
Reference here.
HTH
04-16-2020 04:05 AM
Hi,
so, if I configure "management-access inside" , That will give me SSH access after I am on anyconnect right.
I hope this is not intrusive change :-). I will try if this is non-intrusive and test it , I dont have LAB setup. Thats why I am asking this . Thank you for understanding
04-16-2020 04:09 AM
and, if "management-access inside" is added to device config, Will it disable other SSH inside and SSH management commands. then, it becomes problem :-)
could you help me with this. I just need SSH to the ASA box over anyconnect and existing SSH inside from office LAN should continue to work and also ssh outside for partner network .
04-16-2020 04:37 AM - edited 04-16-2020 04:38 AM
No, when you configure that command it does not disable the other commands.
You can still manage the ASA as before.
04-16-2020 06:29 AM
I just noticed that the management-access inside already presents on the device but this is till not working
following is nat config :-
---------------------
NAT ( outside,inside) source static <VPNSUbnet> <VPN SUbnt> destination static <10.0.0.0> <10.0.0.0> no-proxy-arp
NAT (inside,outsde) source static <10.0.0.0> <10.0.0.0> destination static <VPN subnet> <VPN subnet> no-proxy-arp
(VPN subnet range is also 10.series but with different netmask)
I could see connection hitting on ASA when I tried to do SSH and stuck with TCP flag" SaAB"
am I missing any other command .
04-16-2020 07:38 AM
You don't need both of those NAT rules, remove the first rule (from outside to inside).
Modify the remaining NAT rule and append the command "route-lookup", e.g.
nat (inside,outside) source static <10.0.0.0> <10.0.0.0> destination static <VPN subnet> <VPN subnet> no-proxy-arp route-lookup
HTH
04-16-2020 11:22 PM - edited 04-16-2020 11:24 PM
SSH to device is successful after added NAT rule at Serial No#1 with "Route-lookup".
I am still wondering why We need " route-lookup" in the nat statement. My box is running with 9.12 . 8.4 and later images, Identity NAT statements (with optional interfaces specified) decide egress interface. in that case, the connectivity should work without " route-lookup" as well , right?
FYI:- I didn't add no-proxy-arp in my nat statement. hope, this is fine
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide