I have a remote ASA5505 running 8.4(3) with a working site 2 site VPN tunnel to my main office. (The main office is running an ASA 5510 with OS 8.4.3 as well). The encryption domain is all private IP on main site vs. 172.16.10.0/23 on remote site.
Relevant config of the remote ASA:
interface Vlan1 nameif inside security-level 100 ip address 172.16.10.254 255.255.254.0 ! interface Vlan2 nameif outside security-level 0 ip address x.x.x.x 255.255.255.248
aaa-server management protocol tacacs+ accounting-mode simultaneous aaa-server management (inside) host 172.17.0.31 key ***** aaa-server management (inside) host 172.17.0.32 key *****
ssh 0.0.0.0 0.0.0.0 inside
ssh x.x.x.x y.y.y.y outside (our main site's public IP)http server enable http 0.0.0.0 0.0.0.0 inside http x.x.x.x y.y.y.y outside (our main site's public IP)
The VPN tunnel is working perfectly and I can ping devices in the 172.16.10.0/23 local subnet through it from my management station.
I however cannot manage or ping the ASA through the VPN tunnel on the inside interface from my management station.
When I try this, the syslog on the ASA shows the incoming management connection (either port 443 for ASDM or port 22 for SSH) from my management station's IP to the inside IP of the ASA (all VPN tunnel traffic is exempted from NAT) and after 30 seconds, the syslog shows a SYN timeout. For some reason it looks like the ASA is not responding on its inside interface.
I can manage the ASA on the outside interface (outside of the site 2 site VPN) using the TACACS credentials
I can also ping my management station from the ASA using the inside interface, but as stated, the other way around does not work.
I have not yet tested if management from the local 172.16.10.0/23 subnet works, but I will try this next.
Add the route-lookup command at the end of your nat statement for the VPN connection.
**Please remember to rate helpful posts as well as mark the question as 'answered' once your issue is resolved. This will help others to find your solution faster.