Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1756
Views
10
Helpful
6
Replies

Administration of ASA over IPSec VPN

Go to solution
knetzorg
Level 1
Level 1

‎07-20-2009 01:37 PM - edited ‎02-21-2020 04:17 PM

I recently upgraded my ASA5505 to 8.2.1 from 7.2 and have oddly lost the ability to manage the unit from a VPN connection (via ASDM or SSH). Prior to the upgrade, I was able to connect via either method without issue over the VPN. Internally, I continue to have no issue.

The failure message on the ASDM client when I try to connect remotely is 'Unable to launch device manager from 10.x.x.x:4444'. If I look at the console output in Informational mode, I see eventually there is a 'Flow terminated by TCP intercept' as it relates to the conversation between the ASA and my remote system.

The lines of the config are (I've got webvpn running on 443):

http server enable 4444

http 10.x.x.x 255.x.x.x inside

http 192.x.x.x 255.x.x.x outside

The 192 range is the VPN DHCP range that the VPN clients get (and I've verified) such that these systems should be able to connect to the ASDM or SSH management interface.

Is there another ACL I need to make this work? Not sure why it worked without issue on 7.2 and as soon as I upgraded to 8.2.1, it stopped, without any (manual) changes to the config.

Thanks in advance for the assistance!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
JORGE RODRIGUEZ
Level 10
Level 10
In response to knetzorg

‎07-20-2009 07:03 PM

point VPN network ssh interface to inside instead of outside, should work, while vpn-in ssh to asa inside interface ip address.

no ssh 192.x.x.x. 255.x.x.x outside

ssh 192.x.x.x. 255.x.x.x inside

Regards

Jorge Rodriguez

View solution in original post

6 Replies 6

Go to solution
JORGE RODRIGUEZ
Level 10
Level 10

‎07-20-2009 02:30 PM

Hi, do you have management-access statement? if not add it to your config and try again.

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/m.html#wp2027985

example

asa(config)#management-access inside

Regards

Jorge Rodriguez
0 Helpful

Go to solution
knetzorg
Level 1
Level 1
In response to JORGE RODRIGUEZ

‎07-20-2009 04:20 PM

Thanks for the response.

Sorry, I did forget to include that in the above config notes. It is in there.... along with similar commands for SSH:

ssh 10.x.x.x. 255.x.x.x inside

ssh 192.x.x.x. 255.x.x.x outside

ssh timeout 60

console timeout 120

management-access inside

I remain stumped..... Any other thoughts/experiences?

Thanks!

0 Helpful

Go to solution
JORGE RODRIGUEZ
Level 10
Level 10
In response to knetzorg

‎07-20-2009 07:03 PM

point VPN network ssh interface to inside instead of outside, should work, while vpn-in ssh to asa inside interface ip address.

no ssh 192.x.x.x. 255.x.x.x outside

ssh 192.x.x.x. 255.x.x.x inside

Regards

Jorge Rodriguez

Go to solution
knetzorg
Level 1
Level 1
In response to JORGE RODRIGUEZ

‎07-20-2009 07:09 PM

That worked great for SSH so I also switched the ASDM line over to 'inside' and that seems to have fixed that issue as well.

Thanks a lot for the responses this evening!

0 Helpful

Go to solution
JORGE RODRIGUEZ
Level 10
Level 10
In response to knetzorg

‎07-21-2009 07:51 AM

You're very welcome, glad worked . thx for rating.

Regards

Jorge Rodriguez
0 Helpful

Go to solution
jms112080
Level 1
Level 1
In response to JORGE RODRIGUEZ

‎07-31-2009 06:28 AM

This solution worked for me as well, with 1 additional step. I actually had to delete my previous entry for ssh 10.x.x.x, and re-enter the same line. After that it worked like a champ.

0 Helpful
Customers Also Viewed These Support Documents