Hi there.
I hope someone can help.
I have setup outside management access from specific IP addresses many times in the past with no problem, however I am having trouble with a particular setup in one of our smaller offices.
We have an ADSL service terminated on a local telco modem router. HTTPS and SSH have been forwarded on the router directly to a subinterface on the outside of Firewall.
The "HTTP/SSH <host ip> <mask> interface" command has been added as normal, however I cannot connect from the specified external IP.
To summarise the setup is effectively like this;
Internet -> TCP 443 -> Outside ADSL Router 77.66.55.44 -> NAT -> Outside Subinterface ASA 192.168.1.1
Is anyone aware of any limitation with management access on subinterfaces? Or has anyone had issues in the past with forwarding management access ports through NAT?
Checking the logs on the router I can see the forwarding occuring as expected; with the NAT pushing the traffic to the outside subinterface IP with original TCP 443 retained.
Examining the logs on the ASA at "information" level I could see a very strange message, I can see the forwarded traffic hitting the firewalls outside interface, but there is also a log message, which I presume is the firewalls own translation, pointing to the subnet address of the inside (eg 10.1.1.0).
For this part I presume one of 2 things could be happening; either this is an erroneous Firewall translation and I need to investigate; or the 10.1.1.0 address is some clever internal translation the Firewall does with every management access connection and which is normally invisible.
For reference ASDM and SSH access are both working as expected on the inside and management interfaces and over VPN to the inside.
I hope someone can help...
Many thanks.
