Question about ASDM through VPN

Answered Question
May 21st, 2012

Hello again

I configured ASA 5510 management through the inside interface.  When I am in the office connected to the LAN I have no problem running ASDM.  However, when I'm outside the office and I connect through the Cisco SSL VPN Service I can't manage the ASA5510 even though I can access all the shared resources on the network.

When I attempt to run ASDM when connected via VPN I get the error message..  "Unable to launch device manager from x.x.x.x"  (inside address of the ASA5510).

How dangerous would it be if I just activated management via the Outside interface?


Correct Answer by Julio Carvajal about 4 years 9 months ago

Hello Edward,

Please change the pool to a different subnet than the ASA interface... That will make the ASA a little crazy regarding communications between the local pool and the local subnet.

Can you add the following command as well

managment-access inside


Do rate all the helpful posts


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
rizwanr74 Mon, 05/21/2012 - 13:10

Hi Edward,

Have you tried this config below, I assume your remote vpn client pool is:, you may change to reflect your pool.

http server enable

http outside

"How dangerous would it be if I just activated management via the Outside interface?"

it is dangerous to enable over public address, however the above config is set for private address, which must come off the vpn client session.

I hope that answers your question.


Rizwan Rafeek

Edward Luna Mon, 05/21/2012 - 14:21

Thank you for your quick response.

My remote vpn address pool is to    

I added the commands you suggested (changed for my pool) but I still get the same error when I try to run ASDM via VPN.

I ran ipconfig on the client after the VPN was established and ipconfig indicates that the IP address of the client computer is .  When I connect directly to the LAN (no VPN) the ip address of the client is 10.1.1.x and I have no problem running ASDM and connecting to but when I open the VPN and get an IP address of I can no longer run ASDM from

There must be something in the VPN preventing the ASDM application from running.  Is there someplace in ANYConnect VPN where I can tell it to allow ASDM? 

Jim Heuton Tue, 06/23/2015 - 15:12

This problem had been hounding us since we upgraded our ASAs from 8.4.1 to 9.1.5.  Found another forum posting explaining what had changed with NAT, made the suggested change, and we were once again able to ping and manage our ASAs (SSH/ASDM) from an AnyConnect VPN session through the same ASA.

Here's the link (hope it doesn't get deleted):

Basically, make sure you add the "route-lookup" command to the end of your VPN NAT entry. Resolved our problem in about 2 minutes...  HTH - Jim

Edward Luna Mon, 05/21/2012 - 14:34

Am I correct in assuming that the client computer once connected to the Cisco VPN is using a 10.1.1.x IP address but is connected to the outside interface of the ASA5510?  If so then I suppose the ASA needs some way of knowing which direction the packets should be flowing.  In which case, using 10.1.1.x VPN addresses would be in conflict with the 10.1.1.x internal ip addresses.

Should I change the VPN address pool to use ip addresses that belong to a different subnet than the inside ip address pool?  Maybe something like for the VPN address pool like you had originally indicated?

The more I think of it the more I'm becoming convinced that it must have been a mistake to make the VPN address pool and the internal address pool the same subnet.

I'll go change it and let you know what happens.

Edward Luna Mon, 05/21/2012 - 15:36

I changed the VPN address pool and it didn't make any difference.

1.  Can I/should I use addresses from the inside subnet for the VPN address pool?

2.  When I changed the VPN address pool to and opened the VPN I was assigned address but I was also assigned a default gateway of  I would not have expected to be assigned a default gateway for a VPN connection.

I can ping from the client... basically it's pinging itself... but I can't ping the default gateway that was assigned to my client.  Not much use for a default gateway that you can't ping.  Do you know where that default gateway is coming from?


rizwanr74 Mon, 05/21/2012 - 17:29

Hi Edward,

Please try this and let me know if this helps.

management-access inside

"Do you know where that default gateway is coming from?" from ASA.

If you have not enable split-tunnel, vpn-clients will be injected with default-gateway.

Edward Luna Tue, 05/22/2012 - 14:31

I apologize for being so dense but I just don't understand the answers I'm getting.  I'm certain it is 100% my fault but I must understand the answers before I can implement them.

I don't use the CLI, I use the GUI.  Regardless of which way I get the commands in the result should be the same.

Maybe if we can just clear-up my misunderstandings one at a time we might get this thing to work.

Here are some givens...

My inside address pool is thru

The inside address of the ASA is

My VPN address pool is thru mask

In the GUI Configuration > Device Management > Management Access > ASDM/HTTPS/Telnet/SSH entry screen I have


Interface = Internal (inside)

IP address = mask

Note: According to what I have read, the IP address entered in the GUI is either the host IP that is allowed to access the ASDM via the Internal interface or it is an entire network.  However, if I enter any IP address with a value greater than zero in the 4th octet, I can not use mask, it gives me a network address error (makes sense).  So for now I have left the allowed hosts to any host on the internal network by entering IP mask

I know that the internal interface is enabled for ASDM because I can access it when I am connected to the LAN.  The only time I can't access it is when I am connected via the VPN (Anyconnect).  Perhaps I have a VPN issue rather than a remote administration of ASDM issue but the Anyconnect client says I am connected and I can see packets transferring both ways. 

Edward Luna Tue, 05/22/2012 - 15:34

I think we've made some progress. 

I changed the VPN address pool to I left the inside address pool as it was

I then applied the new address pool to the VPN connection profile in the GUI.

I then ran the command management-access internal (inside)

I then ran the command write memory.

After I did that I opened a VPN session and attempted to run ASDM.  The first screen came up as usual asking for Device IP address/Name

I selected the internal ip address and clicked OK

After clicking OK is where I always get the message Unable to launch device manager from when I'm connected via VPN but this time I didn't get the error... I got the Security warning screen saying the certificate is invalid and do I wish to continue.  This is normal behavior and is exactly what I get when I'm connected directly to the LAN and not the VPN.

I click Yes to continue and then I get the error Unable to Launch device manager from 

This is definitely different and one more piece of information... I can now ping to from the client when the VPN is open, so this confirms that I am able to connect with the Internal interface of the ASA from the client when the client is connected via VPN.

I'm wondering now if I need to tell the VPN management in the ASA that it's ok to run the ASDM when the request is coming from a client attached via VPN?

Any suggestions about how I can do that?


Julio Carvajal Tue, 05/22/2012 - 15:53

Hello Edward,

Yeap, after you changed the ip local pool and the managment-access inside everything should work!

Can you do a debug http 255

and then attemtp to connect to the box.



Edward Luna Wed, 05/23/2012 - 12:32

Nothing I've tried so far has worked.  I'm on the phone with system support right now.  I'll let you all know what happens.

Thanks for your efforts. 


Edward Luna Wed, 05/23/2012 - 13:39

Support said I needed to create a static route between and which I did.  Not only did it not work but it actually brought Internet access down for the entire company.  I removed the static route and Internet access came back company wide.

I find it hard to believe that such a straight forward function as creating a VPN connection should present such a problem.  If I thought it would do any good I'd remove everything I've done to date and just follow the AnyConnect client wizard from the beginning again. 

The trouble with that plan is that I'm not certain exactly how to remove everything associated with the VPN.

I save the config file before making any changes.  I use Tools > Backup Configuration to save the config.  Is it a simple matter of using Tools > Restore Configuration to restore a prior saved config?  If it is then I could restore one of the configurations I saved before I started all this work on the VPN and then start all over.

What do you think?  Should I use the restore tool or just run through the VPN wizard again which will hopefully overwrite whatever is wrong with the VPN config?


rizwanr74 Tue, 05/22/2012 - 19:49

Hi Edward,

"I'm wondering now if I need to tell the VPN  management in the ASA that  it's ok to run the ASDM when the request is  coming from a client  attached via VPN?"

http server enable

http outside

The above two lines enables ASDM to specific subnet and interface it must come on.

Have you tried with Firefox instead of IE ?

Correct Answer
Julio Carvajal Mon, 05/21/2012 - 16:07

Hello Edward,

Please change the pool to a different subnet than the ASA interface... That will make the ASA a little crazy regarding communications between the local pool and the local subnet.

Can you add the following command as well

managment-access inside


Do rate all the helpful posts


ju_mobile Mon, 05/21/2012 - 15:52

Your access to the ASDM would be from the inside and as such your http access needs to identify this but using the subnet from which the VPN clients are assigned. The second step is to define the management access inside which allows your to hairpin and access the ASDM.

Sent from Cisco Technical Support iPad App

Edward Luna Fri, 05/25/2012 - 09:58

I would like to take a moment to thank everyone for their help in solving this problem.  It turns out that most (if not all) the answers provided by the folks who responded to my problem were correct.  Each response addressed the issue in an appropriate manner and had I been more knowledgeable about Cisco VPN's, the information provided by everyone would have been sufficient for me to have solved the problem.

On the chance that others might benefit from my experience with this problem, I thought it might be worthwhile to explain in a little more detail what it was that finally solved my problem.  The missing piece of information... (which I found in a Cisco step-by-step VPN setup procedure)... was to create what is called an "Exempt Route".  The step-by-step procedure stated that the VPN address pool and the inside address pool should be different.  The fact that they are different requires that a Route exists between the two networks.  When I had originally created the route I mistakenly created a "Static Route".  This was an error... the route must be an "Exempt Route".  As soon as I created the Exempt Route everything began to work.

Thanks again to all. 


shady2show Wed, 06/06/2012 - 14:36

If there is any more clarification on this matter.

I'm confused on this also. I have a twice nat rule applied that allows me to access the inside network, can ping the inside interface, and can access the inside http web page but I still get the "Unable to launch the device manager from IP"

Since the Exempt route is already created and all other access there another specific command that needs to be input in order for the asdm to respond to the VPN address space?

I have

ojbect network Inside


object network VPN


     nat (inside,outside) source static Inside Inside destination static VPN VPN

Everything works BUT ASDM, was there another set of commands requiring NAT for the ASA Inside interface?

iOS 8.4(1)


This Discussion

Related Content