Accessing hosts on the Management network from a VPN client

Unanswered Question
Jan 20th, 2010
User Badges:

Hi there,


I have the following setup on my ASA 5520


Public interface - 100 - 202.xx.xx.xx

Private - 0 - 172.24.16.200/24

Management - 0 - 172.19.120.27/24


Issue:


From a VPN client, I can ping any host on the management network (172.19.120.0/24), because I have removed the "management only" option. However, I can't really do anything on those hosts (RDP, http, etc) apart from ping.


Checking the logs, this is what I get, when I try to RDP to a host on the Mgt network:



6Jan 20 201023:40:52106015172.19.120.113389172.24.206.11894Deny TCP (no connection) from 172.19.120.11/3389 to 172.24.206.1/1894 flags SYN ACK on interface Private


What are my options? I can think of two:


  • Create another Management VLAN
  • Disable Management interface and use inside for management.


  • Any advise would be helpfull.
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Yudong Wu Wed, 01/20/2010 - 22:14
User Badges:
  • Gold, 750 points or more

From log, it looks like the SYN ACK was received on Private interface. But the SYN packet from vpn client to the host .11 should be sent out from management interface. What is the default gateway configured on the host in managment network 172.19.120.0/24, can you make sure it is pointed to managment interface on ASA.

james.bastnagel Fri, 01/22/2010 - 10:39
User Badges:

I can't tell from the post without seeing the configs, but you may need to add an ACL entry on one of the interfaces and/or a static nat translation for the VPN segment since you are passing traffic from a lower to a higher security level interface.

Actions

This Discussion