Solved: Re: SSH(device management) to ASA over Anyconnet

NDP · ‎04-16-2020

Need help from expert like you:-

-------------------------------

Laptop -->( Internet Cloud)---> ASA Firewall ---> LAN

Anyconnect profile configured on ASA FW with Tunnelspecified for Split-tunnel profile.

After Laptop got connected to Anyconnect VPN, private IP range has been allocated for VPN purpose.

wanted to SSH into same ASA Firewall over anyconnect VPN, is there any solution to achieve it.

(1) Dont want to permit SSH outside for all public IP ranges

(2) SSH inside <IP pool of Anyconnect>not working because of routing

Thank you in advance

Rob Ingram · ‎04-16-2020

No, when you configure that command it does not disable the other commands.
You can still manage the ASA as before.

View solution in original post

Rob Ingram · ‎04-16-2020

Hi,

To manage the ASA via SSH/ASDM over a VPN tunnel (either AnyConnect or a Site-to-Site VPN) you need to configure the command management-access <interface-name>.

Reference here.

HTH

NDP · ‎04-16-2020

Hi,

so, if I configure "management-access inside" , That will give me SSH access after I am on anyconnect right.

I hope this is not intrusive change :-). I will try if this is non-intrusive and test it , I dont have LAB setup. Thats why I am asking this . Thank you for understanding

NDP · ‎04-16-2020

and, if "management-access inside" is added to device config, Will it disable other SSH inside and SSH management commands. then, it becomes problem :-)

could you help me with this. I just need SSH to the ASA box over anyconnect and existing SSH inside from office LAN should continue to work and also ssh outside for partner network .

Rob Ingram · ‎04-16-2020

No, when you configure that command it does not disable the other commands.
You can still manage the ASA as before.

NDP · ‎04-16-2020

I just noticed that the management-access inside already presents on the device but this is till not working

following is nat config :-

---------------------

NAT ( outside,inside) source static <VPNSUbnet> <VPN SUbnt> destination static <10.0.0.0> <10.0.0.0> no-proxy-arp

NAT (inside,outsde) source static <10.0.0.0> <10.0.0.0> destination static <VPN subnet> <VPN subnet> no-proxy-arp

(VPN subnet range is also 10.series but with different netmask)

I could see connection hitting on ASA when I tried to do SSH and stuck with TCP flag" SaAB"

am I missing any other command .

Rob Ingram · ‎04-16-2020

You don't need both of those NAT rules, remove the first rule (from outside to inside).

Modify the remaining NAT rule and append the command "route-lookup", e.g.

nat (inside,outside) source static <10.0.0.0> <10.0.0.0> destination static <VPN subnet> <VPN subnet> no-proxy-arp route-lookup

HTH

NDP · ‎04-16-2020

SSH to device is successful after added NAT rule at Serial No#1 with "Route-lookup".

I am still wondering why We need " route-lookup" in the nat statement. My box is running with 9.12 . 8.4 and later images, Identity NAT statements (with optional interfaces specified) decide egress interface. in that case, the connectivity should work without " route-lookup" as well , right?

FYI:- I didn't add no-proxy-arp in my nat statement. hope, this is fine