Cannot connect to ASA inside through VPN

Unanswered Question
Sep 19th, 2008

Dear all,

I am trying to setup a connection to an ASA 5505 inside interface via an IPSEC tunnel.

The reason for this is so that I can manage the ASA via the VPN, as opposed to connecting to the outside/public facing IP address (I also plan to setup our network monitor to poll SNMP on the ASA via the VPN tunnel, so that I can monitor that the VPN is up).

I have assigned the "management-access inside" command to the ASA and am able to ping the ASA inside interface IP via the VPN, however, I am unable to Telnet/SSH/ASDM/https to the ASA.

I have run a syslog debug on the ASA and I can see my telnet/ssh etc. sessions being established on the ASA, via the VPN, but it seems as though the return traffic of the telnet/ssh etc. is not coming back through the VPN, so I am thinking the issue is a routing issue.

I have checked all the usual NAT/ACL/crypto-map settings and it all looks OK, it just seems as though the ASA cannot route back through the VPN from it's inside interface.

For reference, traffic from hosts inside the ASA is going back and forth through the VPN fine.

Any help would be appreciated.

Thanks.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.

I did this also with the 5505 a few weeks ago- what we observed was EXTREMELY HIGH CPU (90+%) when the "inside" interface is a vlan.

I suspected a bug.

Make sure you have

same-security-traffic permit intra-interface

for the hairpin, but you are already pinging so I suspect you have this command.

We abandoned our persuit of this and continue to manage via the public interface. We did get ASDM to initially load but then take forever and freeze after a while and we could not manage the box.

Anyone else get this working?

thanks,

Joe

Marwan ALshawi Fri, 09/19/2008 - 18:42

try to add the following command then connect to the asdm for example via the vpn client

asa(config)#management-access inside

good luck

if helpful Rate

s.gilbrook Wed, 09/24/2008 - 04:35

Dear all,

Thanks for the replies - I have decided to scrap this idea and monitor do a basic poll to the outside interface of the ASA.

I will concentrate on setting up a poll to a device on the other side of the VPN, so as to periodically check that the tunnel is up.

It's a bit of a shame, as I can connect to the inside of a 501 and 515E without any trouble.

Thanks.

Actions

This Discussion