I have the following problem: I am using a management-only interface on ASA 5512X. This management interface is directly connected to a management network. i have configured the ASA to allow VPN on the inside and assign addresses from a pool in the management network, And the ASA is successfully managed through the management interface after that, but there are also a couple of switches and routers connected to the same Management network as the ASA that should be managed when i am connected to the VPN tunnel.
Because the directly connected interface is a management-only one, I could not do that. (The ASA is logging the following message: "Through-the-device packet to/from management-only network is denied")
Please, does any one knows how to solve this issue. I want to use the Management IF for management.
The management interface is strictly for managing the device. The management interface will not pass traffic destined for anywhere other than itself. There is no "fix" for this. That would be a major vulnerability if traffic were allowed to pass to a management interface and then to the network...it would bypass the ACL's on the inside/outside interfaces.
What you'll need is a link to a switch on the inside that has layer-3 switching capability to switch to the correct vlan/network to access your management network on the inside.
Don't use a VPN address pool from the management network. Use one from inside network or a made up one. Put a route on your inside network for the management network broken down to a more specific subnet than the one in use so incoming traffic will prefer that over the direct connected.
If we assume mgmt is 192.168.1.0/24, then put route statements similar to:
route inside 192.168.1.0 255.255.255.128
route inside 192.168.1.128 255.255.255.128
route inside 192.168.1.128 255.255.255.255
That way all VPN clients with traffic destined for management network leve the ASA and go via inside gateway router to come back around into management network.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :