Administration of ASA over IPSec VPN

Answered Question
Jul 20th, 2009
User Badges:

I recently upgraded my ASA5505 to 8.2.1 from 7.2 and have oddly lost the ability to manage the unit from a VPN connection (via ASDM or SSH). Prior to the upgrade, I was able to connect via either method without issue over the VPN. Internally, I continue to have no issue.


The failure message on the ASDM client when I try to connect remotely is 'Unable to launch device manager from 10.x.x.x:4444'. If I look at the console output in Informational mode, I see eventually there is a 'Flow terminated by TCP intercept' as it relates to the conversation between the ASA and my remote system.


The lines of the config are (I've got webvpn running on 443):

http server enable 4444

http 10.x.x.x 255.x.x.x inside

http 192.x.x.x 255.x.x.x outside


The 192 range is the VPN DHCP range that the VPN clients get (and I've verified) such that these systems should be able to connect to the ASDM or SSH management interface.


Is there another ACL I need to make this work? Not sure why it worked without issue on 7.2 and as soon as I upgraded to 8.2.1, it stopped, without any (manual) changes to the config.


Thanks in advance for the assistance!

Correct Answer by JORGE RODRIGUEZ about 7 years 11 months ago

point VPN network ssh interface to inside instead of outside, should work, while vpn-in ssh to asa inside interface ip address.


no ssh 192.x.x.x. 255.x.x.x outside

ssh 192.x.x.x. 255.x.x.x inside



Regards


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
knetzorg Mon, 07/20/2009 - 16:20
User Badges:

Thanks for the response.


Sorry, I did forget to include that in the above config notes. It is in there.... along with similar commands for SSH:


ssh 10.x.x.x. 255.x.x.x inside

ssh 192.x.x.x. 255.x.x.x outside

ssh timeout 60

console timeout 120

management-access inside


I remain stumped..... Any other thoughts/experiences?


Thanks!

Correct Answer
JORGE RODRIGUEZ Mon, 07/20/2009 - 19:03
User Badges:
  • Green, 3000 points or more

point VPN network ssh interface to inside instead of outside, should work, while vpn-in ssh to asa inside interface ip address.


no ssh 192.x.x.x. 255.x.x.x outside

ssh 192.x.x.x. 255.x.x.x inside



Regards


knetzorg Mon, 07/20/2009 - 19:09
User Badges:

That worked great for SSH so I also switched the ASDM line over to 'inside' and that seems to have fixed that issue as well.


Thanks a lot for the responses this evening!

JORGE RODRIGUEZ Tue, 07/21/2009 - 07:51
User Badges:
  • Green, 3000 points or more

You're very welcome, glad worked . thx for rating.


Regards


jms112080 Fri, 07/31/2009 - 06:28
User Badges:

This solution worked for me as well, with 1 additional step. I actually had to delete my previous entry for ssh 10.x.x.x, and re-enter the same line. After that it worked like a champ.

Actions

This Discussion