Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA management connection problem

Hello,

 

I would like to have SSH management connection from my local LAN laptop to my ASA-firewall. Management connection is red color line, see attach.

 

SSH is configured and tested and it's allowed to take SSH connection from local LAN to ASA. But laptop is still unable to get connection.

 

Is there some kind VLAN problem between laptop <-> ASA or why connection fails?

From router I can ping ASA's management interface.

 

My router's management interface is configured as VLAN 100 access. How can I configure ASA's management interface also as VLAN 100? Or do I need to do that? I could not found that setting.

 

Thnx for help.

9 REPLIES

Hi, Have you allowed ssh for

Hi,

 

Have you allowed ssh for the source subnet from where you want to access asa...

eg:

ssh 192.168.10.0 255.255.255.0 management is needed to be configured in your asa to allow ssh connections....

Also please do check if you created the crypto key in your asa to enable ssh access....

Regards

Karthik

 

New Member

ssh 192.168.10.0 255.255.255

ssh 192.168.10.0 255.255.255.0 management

was configured.

 

I can ping from my laptop -> to ASA GE0/0 interface (VLAN 20)

 

But I can't ping from my laptop -> to ASA management interface (192.168.100.2)

From laptop -> to router inferface address 192.168.100.1 ping goes well. But not anymore to ASA's 100.2.

Should I be able to ping ASA's management port?

Hi Terno, You can ping the

Hi Terno,

 

You can ping the management interface ip address.... if you have the proper routing in place.

 

Regards

Karthik

New Member

Hi, ok. Can you say what

Hi,

 

ok. Can you say what route is missing?

 

There is one route configured to inside interface for ASA. GE0/0 is inside interface.

 

route inside 192.168.10.0 255.255.255.0 next-hop 192.168.20.1

 

I have no routes configured for management network (192.168.100.0). Should I have?

I wonder why I can't ping from laptop -> to ASA's management interface (192.168.100.2) through I can ping from laptop to -> router interface (192.168.100.1) which is connected to ASA. They are same subnet anyway...

 

Can you help me?

 

BR,

 

Terno

Hi, Can you ping ASA

Hi,

 

Can you ping ASA management IP address from router with source-interface as laptop connected VLAN/interface?

 

Regards

Karthik

VIP Green

You would need a route on the

You would need a route on the ASA which sends the traffic destined for the management interface back out the inside interface.

You would also need a route pointing back to the inside network pointing out the management interface.

You could also run into a problem that the Cisco router will send the traffic directly to back to your laptop instead of sending it through the ASA, causing a asynchronous routing situation.  In this case you would need to configure TCP bypass on the ASA, as the ASA will drop this traffic as it will never see the return traffic from the management interface.

The best solution here would be to give your PC a static IP and then allow that IP to manage the ASA on the inside interface.

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
New Member

Hi, thanks for help. Now

Hi,

 

thanks for help. Now management connection from router -> to ASA works after I added a route from management interface to inside network.

 

Could you check my updated network picture? How should I configure site B management connection? From site B ASA I can ping -> to router (192.168.20.1, VLAN20)

But ping from router -> to ASA B management address 192.168.100.3 (VLAN 100) fails.

These two ASA are connected together with LAN cable and there is VPN-tunnel between them. VPN is up and everythin else works but management connection to site B does not work. Site B ASA management interface is connected to cisco switch and from switch goes trunk port connection to -> ASA.

How in this case management connection should be configured? Can you help with routes and VLAN's?

Thank you again.

BR, Terno

VIP Green

Most likely you are either

Most likely you are either missing the managent IP from the crypto ACL at one of the sites...or both maybe.  Also if you have NAT configured make sure that the NoNAT statement exempts traffic to and from the management network from being NATed.

Also keep in mind you will need the command management-access MGMT (where MGMT is the management interface name) to be able to ping that interface over the VPN.

--

Please remember to select a correct answer and rate helpful posts

-- Please remember to rate and select a correct answer
New Member

Hi Marius, I added command

Hi Marius,

 

I added command management-access managent to both ASA.

 

I also added to both devices crypto ACL that from source Site A management and LAN network -> destination Site B LAN and management is allowed.

And from source Site B -> destination SiteA LAN and management network allowed.

 

I am able to ping from Laptop -> to SiteA ASA management port. But still unable to ping or connect SiteB ASA management port from laptop or from router.

 

Could it be trunk port problem between Site B ASA and Site B switch port? There is several VLAN's configured to switch port including management VLAN 100 and switch port is in trunk mode. I have one native vlan command at this same port.

There is native vlan11 command configured to this same port. Is it right configured? If it's not how switch and ASA port should be configured to pass through trunk port VLANs?

 

Now, atleast ping to site A works but not management connection.

When I remove native vlan11 command from switch -> ping to Site A stops. Site B switch and Site B ASA can ping each other.

 

Thx for help again.

494
Views
0
Helpful
9
Replies