ASA5510 blocking vpn traffic states internal devices are on Mgmt Network

Unanswered Question
Jun 30th, 2010

Just switched over from an ASA5505 to the ASA 5510 today and in the process of setting up the Remote Access VPN connection.  Ran the wizard using asdm and setup the vpn - worked like a charm, installed a few programs remotely and all was well.

Well i went into the Interfaces menu(ASDM) and selected "Enable traffic between two or more interfaces which are configured with same security levels"

After that point, all vpn connections cannot connect to any internal machines - firewall log says:

Through the device packet to/from management network is denied; icmp src management:192.168.1.65 dst outside:192.168.ff1.175(type0, code0)  the 175 is the vpn computer connected.

Problem is 192.168.1.65 is on the internal network not the management network so why does it apply the management acl? 

I've gone back and disabled traffic between like security level interfaces and still no go.   Thinks all internals are on management interface and i can't figure it out.

All other communications are fine at this point - just the vpn clients get this message.

Thanks in advance,

E B

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Wed, 06/30/2010 - 10:11

Hi,

Seems something got messed-up in the configuration.

Can you post the relevant part of your configuration?

Federico.

erikjbrown Thu, 07/01/2010 - 10:52

Well I did eventually figure out a way around this.

We were using an ip address pool in the same subnet as our internal network - this was a problem.

I created a new vlan for the vpn - setup split tunneling on the connection to expose our internal network to that vlan and all is working fine now.

Cisco Newb

E B

Actions

This Discussion