07-20-2009 01:37 PM - edited 02-21-2020 04:17 PM
I recently upgraded my ASA5505 to 8.2.1 from 7.2 and have oddly lost the ability to manage the unit from a VPN connection (via ASDM or SSH). Prior to the upgrade, I was able to connect via either method without issue over the VPN. Internally, I continue to have no issue.
The failure message on the ASDM client when I try to connect remotely is 'Unable to launch device manager from 10.x.x.x:4444'. If I look at the console output in Informational mode, I see eventually there is a 'Flow terminated by TCP intercept' as it relates to the conversation between the ASA and my remote system.
The lines of the config are (I've got webvpn running on 443):
http server enable 4444
http 10.x.x.x 255.x.x.x inside
http 192.x.x.x 255.x.x.x outside
The 192 range is the VPN DHCP range that the VPN clients get (and I've verified) such that these systems should be able to connect to the ASDM or SSH management interface.
Is there another ACL I need to make this work? Not sure why it worked without issue on 7.2 and as soon as I upgraded to 8.2.1, it stopped, without any (manual) changes to the config.
Thanks in advance for the assistance!
Solved! Go to Solution.
07-20-2009 07:03 PM
point VPN network ssh interface to inside instead of outside, should work, while vpn-in ssh to asa inside interface ip address.
no ssh 192.x.x.x. 255.x.x.x outside
ssh 192.x.x.x. 255.x.x.x inside
Regards
07-20-2009 02:30 PM
Hi, do you have management-access statement? if not add it to your config and try again.
http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/m.html#wp2027985
example
asa(config)#management-access inside
Regards
07-20-2009 04:20 PM
Thanks for the response.
Sorry, I did forget to include that in the above config notes. It is in there.... along with similar commands for SSH:
ssh 10.x.x.x. 255.x.x.x inside
ssh 192.x.x.x. 255.x.x.x outside
ssh timeout 60
console timeout 120
management-access inside
I remain stumped..... Any other thoughts/experiences?
Thanks!
07-20-2009 07:03 PM
point VPN network ssh interface to inside instead of outside, should work, while vpn-in ssh to asa inside interface ip address.
no ssh 192.x.x.x. 255.x.x.x outside
ssh 192.x.x.x. 255.x.x.x inside
Regards
07-20-2009 07:09 PM
That worked great for SSH so I also switched the ASDM line over to 'inside' and that seems to have fixed that issue as well.
Thanks a lot for the responses this evening!
07-21-2009 07:51 AM
You're very welcome, glad worked . thx for rating.
Regards
07-31-2009 06:28 AM
This solution worked for me as well, with 1 additional step. I actually had to delete my previous entry for ssh 10.x.x.x, and re-enter the same line. After that it worked like a champ.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide