Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1213
Views
10
Helpful
12
Replies

ASA 5510 7.0(7) Unable to manage over VPN

gordonmarkus
Level 1
Level 1

‎07-09-2008 10:02 AM - edited ‎03-11-2019 06:11 AM

Hi Everyone,

I am hoping that someone on here can help me out, as I am going out of my mind with this issue that I've been working on for the last few days.

I have a customer that has an ASA5510 behind their ISP router, and we are using it as a RAS VPN server for some remote workers. The VPNs all work fine, and we can connect, and reach devices on the network ok. However, when it comes to managing the ASA over the VPN either via asdm or telnet, the session fails.

The RAS users get allocated an address in the 10.9.1.0/24 subnet, and this is routable from the ASA (the route table shows it as a static route, via the ISP router when an VPN user is connected). The VPN users can ping the inside interface on the ASA ok as well. Users on the inside interface (LAN side) can use telnet & ASDM, so I know that the server processes are running on the ASA ok.

Looking at the debug/monitor on the ASA, I don't see the telnet/http sessions being blocked by any ACLS or anything which is what is really confusing me!

I've attached a config if you would like to take a look...

As an aside - the customer has a 2nd ASA on the same LAN segment (10.0.1.x), and when users are connected to the 1st ASA via VPN, they can manage the 2nd ASA with telnet/ASDM no problem. I suspect that this is because the 2nd box sees the 10.9.1.x addresses as inside, whereas the 1st ASA sees the 10.9.1.x addresses as outside.

Any help would be really appreciated!

Thanks,

-Gordon

Labels:
Preview file
6 KB
0 Helpful
12 Replies 12

JORGE RODRIGUEZ
Level 10
Level 10

‎07-09-2008 08:47 PM

Gordon,

Please correct the following statements.

no http 10.9.1.0 255.255.255.0 outside

no telnet 10.9.1.0 255.255.255.0 outside

and replace with

http 10.9.1.0 255.255.255.0 inside

telnet 10.9.1.0 255.255.255.0 inside

After making above changes, vpn network will be able to manage firewall while VPN in.

Rgds

-Jorge

Jorge Rodriguez
0 Helpful

gordonmarkus
Level 1
Level 1
In response to JORGE RODRIGUEZ

‎07-10-2008 09:17 AM

Hi,

Thanks for that. I did try it when I was implementing the VPN's, and again today but it didn't make any difference unfortunately.

When you do a 'show route' on the ASA, it sees the 10.9.1.x clients as outside, via the service provider router, hence why I have the http & telnet set as outside.

Any further advice/comments appreciated!

Thanks,

-Gordon

0 Helpful

a.alekseev
Level 7
Level 7
In response to gordonmarkus

‎07-10-2008 09:28 AM

management-access

To allow management access to an interface other than the onefrom which you entered the security appliance when using IPSec VPN, use the management-access command in global configuration mode. To disable, use the no form of this command.

management-access mgmt_if

[Pls RATE if HELPS]

0 Helpful

gordonmarkus
Level 1
Level 1
In response to a.alekseev

‎07-10-2008 09:35 AM

Hi,

Thanks for that.

I have the line:

management-access inside

in my config, so I would have thought that would allow management access to the 10.0.1.249 (inside) interface.

Any further ideas/advice welcome.

-Gordon

0 Helpful

lchancy
Level 1
Level 1
In response to gordonmarkus

‎07-10-2008 10:39 AM

I'm having a similar problem with SSH to an ASA through remote VPN. Hopefully if your issue gets resolved there will be some tips to solving my own.

The "management-access Inside" statement was added and I have an "ssh [vpnpool] [vpnmask] Inside" statement already (from K77528143 of the CiscoWiki), but the SSH connection times out, although I can ping the Inside IP as well as SSH without the VPN to the Outside interface.

0 Helpful

acomiskey
Level 10
Level 10
In response to lchancy

‎07-10-2008 10:41 AM

7.0.7 is pretty old.

JORGE RODRIGUEZ
Level 10
Level 10
In response to acomiskey

‎07-10-2008 10:57 AM

Larry,.. Adam brought up interesting point perhaps common denominator, what version of code are you running , is the the same code as origincal poster? although I don't see any bugs on caveats related to asa management over vpn , but may well be new.

Jorge Rodriguez
0 Helpful

lchancy
Level 1
Level 1
In response to JORGE RODRIGUEZ

‎07-10-2008 11:09 AM

In this particular case, yes it is 7.0(7).

I'll see if I can get it migrated to 7.2(3) to find out if the problem persists.

0 Helpful

a.alekseev
Level 7
Level 7
In response to lchancy

‎07-10-2008 11:18 AM

I have 7.2(3) and it works, I can get access to asa through VPN

0 Helpful

gordonmarkus
Level 1
Level 1
In response to a.alekseev

‎07-10-2008 11:30 AM

That's encouraging.

I'll get our boxes upgraded asap!

Thanks for all the help/advice.

Regards,

-Gordon

0 Helpful

lchancy
Level 1
Level 1
In response to gordonmarkus

‎07-10-2008 12:13 PM

I upgraded from 7.0(7) to 7.2(3) and SSH worked for me without any additional changes.

I'd bet this works for you as well.

0 Helpful

JORGE RODRIGUEZ
Level 10
Level 10
In response to lchancy

‎07-10-2008 01:52 PM

Larry, thanks for updating the post with such positive results, would you mind to rate this post as resolved as well as rate participants who helped , Adam brought the spark in untimately resolving this.

Posts that are resolved helps others in the search for an answer who may have similar issues.

Rgds

Jorge

Jorge Rodriguez
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card