×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

Remote Management Access through VPN on ASA 5505

Answered Question
May 22nd, 2012
User Badges:

Hi,


I have a remote ASA5505 running 8.4(3) with a working site 2 site VPN tunnel to my main office. (The main office is running an ASA 5510 with OS 8.4.3 as well). The encryption domain is all private IP on main site vs. 172.16.10.0/23 on remote site.


Relevant config of the remote ASA:


interface Vlan1
 nameif inside
 security-level 100
 ip address 172.16.10.254 255.255.254.0 
!
interface Vlan2
 nameif outside
 security-level 0
 ip address x.x.x.x 255.255.255.248 


aaa-server management protocol tacacs+
 accounting-mode simultaneous
aaa-server management (inside) host 172.17.0.31
 key *****
aaa-server management (inside) host 172.17.0.32
 key *****

ssh 0.0.0.0 0.0.0.0 inside
ssh x.x.x.x y.y.y.y outside (our main site's public IP)
http server enable
http 0.0.0.0 0.0.0.0 inside
http x.x.x.x y.y.y.y outside (our main site's public IP)


management-access inside


The VPN tunnel is working perfectly and I can ping devices in the 172.16.10.0/23 local subnet through it from my management station.

I however cannot manage or ping the ASA through the VPN tunnel on the inside interface from my management station.


When I try this, the syslog on the ASA shows the incoming management connection (either port 443 for ASDM or port 22 for SSH) from my management station's IP to the inside IP of the ASA (all VPN tunnel traffic is exempted from NAT) and after 30 seconds, the syslog shows a SYN timeout. For some reason it looks like the ASA is not responding on its inside interface.


I can manage the ASA on the outside interface (outside of the site 2 site VPN) using the TACACS credentials

I can also ping my management station from the ASA using the inside interface, but as stated, the other way around does not work.

I have not yet tested if management from the local 172.16.10.0/23 subnet works, but I will try this next.

Correct Answer by Kevin P Sheahan about 5 years 2 months ago

Add the route-lookup command at the end of your nat statement for the VPN connection.



Kind Regards,

Kevin

**Please remember to rate helpful posts as well as mark the question as 'answered' once your issue is resolved. This will help others to find your solution faster.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Correct Answer
Kevin P Sheahan Tue, 05/22/2012 - 08:58
User Badges:
  • Bronze, 100 points or more

Add the route-lookup command at the end of your nat statement for the VPN connection.



Kind Regards,

Kevin

**Please remember to rate helpful posts as well as mark the question as 'answered' once your issue is resolved. This will help others to find your solution faster.

Kevin P Sheahan Tue, 05/22/2012 - 11:52
User Badges:
  • Bronze, 100 points or more

Always happy to help, and I'm glad that you've found that link.. it is very informative.



Kind Regards,

Kevin

**Please remember to rate helpful posts as well as mark the question as 'answered' once your issue is resolved. This will help others to find your solution faster.

Marcel Verbrugg... Wed, 05/23/2012 - 00:26
User Badges:

I still had a question remaining when completely reading through that blog post:


- If I would have had an additional network on my remote site (added to the VPN tunnel and to the NAT rule) that was not directly attached to the ASA's inside.

Would this mean that  none of the hosts on that network would have been reachable through the tunnel without the route-lookup directive? Since the ASA does not do a route lookup, it would not know the router where this traffic needs to be send, right?


In other words: does the ASA basically spit out the packet on L2 on the interface described in the Identity NAT rule (apparently without even checking if the traffic is destined for that interface itself)?

bo.systemhouse Wed, 06/27/2012 - 15:24
User Badges:

>Add the route-lookup command at the end of your nat statement for the VPN connection.


How do one "Add the route-lookup command at the end"  using ASDM ?

I see the NAT roule create by the "AnyConnect VPN Wizard".


I'm new to the 5505 and Cisco and has the exact same problem, with not being able to manage the 5505 connected through a VPN-tunnel from a remote PC with the AnyConnect VPN Client (no split tunneling). I also can't get traffic through the 5505 to the outside as when physically located behing the 5505.


The version numbers are: ASDM 6.4(9)  - ASA 8.4(4)1

/Bo

kraghupati Tue, 07/09/2013 - 05:21
User Badges:

when u edit any of the nat rules from asdm, click on the option "Lookup route table to locate egress interface"

Actions

This Discussion