Hi marwanshawi,

Thk you for your response.

I have made the following changes.

1)i have change "access-list inside_nat0_outbound extended permit ip any 172.16.0.0 255.255.255.224 " to "access-list inside_nat0_outbound extended permit ip any 172.16.0.0 255.255.0.0" hence the vpn address pool match my nat exemption ACL

2)i have remove the deny statement from outside_access_in acl.

After doing the above, i am still unable to telnet into the firewall after i manage to vpn into my office network.All other server can be accessed once my vpn connection is up. Pls advise, thks in advance.

even if u remove the deny

there is deny all by default called implicit deny

u need to make explicit allow

so allow what ever traffic u want the vpn client to do

like

permit tcp 172.16.0.0 255.255.0.0 [asa inside ip] eq 23

permit tcp [asa inside ip] eq 23 172.16.0.0 255.255.0.0

and also

do

clear xlate and clear conn

good luck

Hi,

Did you add the "management-access" command ?

To allow management access to an interface other than the onefrom which you

entered the security appliance when using IPSec VPN, use the management-access

command in global configuration mode.

management-access inside

Hi dhana,

Thk you for your response. After adding "management-access inside" i now can ping the internal interface of my firewall after connection to my office network via vpn which i previously could not. However i could not access my firewall via asdm and telnet even though i have allowed 0.0.0.0 0.0.0.0 to access the firewall for both telnet and asdm using the device access option available in asdm. Pls advise. Thks in advance.

Hi all. Below is my configuration. After i enable "management-access inside" i could access my firewall internal ip via ping after establishing vpn connection but not others like telnet even though "telnet 0.0.0.0 0.0.0.0 inside" is enabled. Pls advise.

interface Ethernet0/0

nameif inside

security-level 100

ip address 192.168.1x.254 255.255.255.0

!

interface Ethernet0/1

nameif DMZ

security-level 50

ip address 192.168.2x.254 255.255.255.0

!

interface Ethernet0/2

nameif outside

security-level 0

ip address 8x.xx.xx.xx 255.255.255.240

!

interface Ethernet0/3

shutdown

no nameif

no security-level

no ip address

!

interface Management0/0

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

management-only

!

passwd xxx

ftp mode passive

same-security-traffic permit inter-interface

access-list inside_access_in extended permit ip 192.168.1x.0 255.255.255.0 any

access-list inside_access_in extended permit esp any any

access-list inside_access_in extended permit gre any any

access-list outside_access_in extended permit icmp any any

access-list outside_access_in extended deny ip any any

access-list DMZ_access_in extended permit ip 192.168.2x.0 255.255.255.0 any

access-list inside_nat0_outbound extended permit ip any 172.16.0.0 255.255.0.0

access-list split-tunnel standard permit 192.168.1x.0 255.255.255.0

access-list prod standard permit host 192.168.1x.x

access-list prod standard deny any

pager lines 24

logging enable

logging asdm-buffer-size 500

logging asdm informational

mtu inside 1500

mtu DMZ 1500

mtu outside 1500

mtu management 1500

ip local pool pool 172.16.0.1-172.16.0.20 mask 255.255.0.0

no failover

monitor-interface inside

monitor-interface DMZ

monitor-interface outside

monitor-interface management

asdm image disk0:/asdm-507.bin

no asdm history enable

arp timeout 14400

nat-control

global (outside) 100 interface

nat (inside) 0 access-list inside_nat0_outbound

nat (inside) 100 192.168.1x.0 255.255.255.0

access-group inside_access_in in interface inside

access-group DMZ_access_in in interface DMZ

access-group outside_access_in in interface outside

route outside 0.0.0.0 0.0.0.0 8x.xx.xx.xx 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00

timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00

timeout uauth 0:05:00 absolute

group-policy vpnuser internal

group-policy vpnuser attributes

dns-server value 192.168.1x.x 192.168.1x.x

split-tunnel-policy tunnelspecified

split-tunnel-network-list value prod

default-domain value mm.com

webvpn

username user password xxx encrypted privilege 15

username user attributes

vpn-group-policy vpnuser

webvpn

http server enable

http 192.168.1x.x 255.255.255.255 inside

http 0.0.0.0 0.0.0.0 inside

http 192.168.1.0 255.255.255.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

sysopt connection tcpmss 13800

crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac

crypto dynamic-map outside_dyn_map 20 set transform-set ESP-3DES-SHA

crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map

crypto map outside_map interface outside

isakmp enable outside

isakmp policy 10 authentication pre-share

isakmp policy 10 encryption 3des

isakmp policy 10 hash sha

isakmp policy 10 group 2

isakmp policy 10 lifetime 86400

tunnel-group vpnuser type ipsec-ra

tunnel-group vpnuser general-attributes

address-pool pool

default-group-policy vpnuser

tunnel-group vpnuser ipsec-attributes

pre-shared-key *

telnet 0.0.0.0 0.0.0.0 inside

telnet timeout 5

ssh timeout 5

console timeout 0

management-access inside

dhcpd address 192.168.1.2-192.168.1.254 management

dhcpd dns 8x.x.1x.x 8x.x.x.x

dhcpd lease 3600

dhcpd ping_timeout 50

dhcpd enable management

try specifying your vpn ip pool range of telnelt access...

telnet 172.16.0.0 255.255.0.0 inside

http 172.16.0.0 255.255.0.0 inside

...if your still having issues with asdm via vpn.

Hi marshall, thk you for your response. I specified what you suggested and now i can access asdm interface after connecting vpn. However i still could not access through telnet after connecting vpn. Pls advise. Thks in advance.

are you trying to access in the mgmt interface or the inside interface when trying to telnet over VPN?

Hi. I am trying to access the inside interface of my firewall over vpn. After i enable "management-access inside" i manage to access my firewall inside interface via asdm over vpn but not through telnet. Even though i have enable my vpn ip to access the firewall via telnet and asdm as below.

"http 172.20.0.0 255.255.255.0 inside"

"telnet 172.20.0.0 255.255.255.0 inside"

Hi,

You have an interface specified as manegement0/0 namif management as asa magament only interface

try

management-access management

Rgds

Jorge

i would suggest trying to add an acl for telnet access..

access-list acl_in extended permit tcp any any eq telnet