Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
569
Views
0
Helpful
2
Replies

management-access inside without IPSec

2phase1081
Level 1
Level 1

‎01-11-2014 12:44 PM - edited ‎03-11-2019 08:28 PM

hi community!

i have an ASA with 9.1(1) which is accessed on its inside interface (from outside) via "management-access inside" command. after upgrade to 9.1(3) this stops working.

ADMIN              outside   ASA    inside

                        interface   ___    interface

172.16.1.5          10.1.1.1  |___|  192.168.1.1

SSH/ASDM from 172.16.1.5 to 192.168.1.1

there is no IPSec configured, just plain routing. is it a bug in 9.1(3) version or is it feature that management-access inside is not working anymore?

thanks and best regards

mario

1 person had this problem
Labels:
0 Helpful
2 Replies 2

Jouni Forss
VIP Alumni
VIP Alumni

‎01-12-2014 11:15 PM

Hi,

To my understanding you should never be able to connect to the ASA interface behind another interface unless VPN connection and "management-access" command are involved.

I do remember one other thread where the user said that this was done.

But this is something that should not work so I am not sure why it has worked for you. I wouldn't expect that you can get it working as is not something that supposed to be supported. I am not sure what kind of configuration you have used if this has worked in the first place.

Then again, I am wondering why you are not using the external interface directly to connect to the ASA rathter than connecting to some other interface? I mean there must be some NAT involved if this device is on the edge of public/private networks?

- Jouni

0 Helpful

2phase1081
Level 1
Level 1
In response to Jouni Forss

‎01-16-2014 10:14 AM

hi,

thanks for your reply.

behind that firewall there are serveral other firewalls all connected with each other via one single /24 transit network. the idea was to access all firewalls via their addresses in this transit network (naming conventions...). this was done because it worked with management-access inside at 9.1(1) with no issues.

now i want to find out why it doesn't after upgrading to 9.1(3) with no config change. is the bug in 9.1(1) or in 9.1(3)?

mario

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card