I deployed a Cisco ASA Firewall Software Ver 8.4(4). I have created a IPSec Site to Site VPN tunnel. It is a Static to Dynamic IP scenario.
The issue is that, VPN tunnel is working fine but not able to access the firewall from Site-A having static IP address. I have given the "management-access inside" on Site-B firewall and set the ssh/https access for the Site-A local VPN subnet.
Site-B Configuration Sample
Local Subnet = 10.151.16.0 255.255.254.0
Remote Subnet = 172.22.0.0 255.255.0.0
http 10.151.16.0 255.255.254.0 inside
http 172.22.0.0 255.255.0.0 inside
telnet 10.151.16.0 255.255.254.0 inside
telnet 172.22.0.0 255.255.0.0 inside
ssh 10.151.16.0 255.255.254.0 inside
ssh 172.22.0.0 255.255.0.0 inside
I just want to know that is this a sofware bug or anything else need to be done on cisco ASA with 8.4(4) version. I haved done thousands of time with the previous versions.
I've also just upgraded to 8.8.4 (was on 8.4.1) in one of my spoke sites and I'm unable to ping, query via SNMP or SSH from the hub site to the inside interface, syslog is also not working from the spoke site to the hub site via the VPN tunnel.
The strange thing is that TACACS from the spoke to the hub site is still working via the VPN tunnel which also uses the inside interface
So it seems that upgraging to 8.4.4 has broken a few features i.e. ping,snmp, ssh/telnet and syslog that work via the management comand.
In case anyone else is still having this issue, I was finally was able to resolve this issue on our ASAs. It seems that after 8.4.1 (maybe 8.4.2) a "quota" for management connections needs to be defined, it's default is 0.
quota management-session XXX (where XXX is between 0 and 10000)
After issuing that command, everything started reporting normally again. Unfortunately, it appears that you can't issue that command in 8.4.1 prior to upgrading to 8.4.4. Certainly makes this jump more troublesome.
Please, allow me to resurect this old post. Thank you so much for your answer Javier Portuguez, I had the same issue, but with anyconnect sessions. I have added the "route lookup" statement to the nat rule, and now I am able to manage the inside interface of my ASA through anyconnect sessions. I hope you to keep helping a lot of people with your answers.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...