12-08-2017 05:45 AM - edited 02-21-2020 06:55 AM
Hello,
I have question, and I am hoping this is a not duplicated issue
I have ASA5525 with active ports: inside(172.10.1.0/24), outside(10.10.1.0/23), and management(192.168.1.0/23)
.
I have VPN connection from outside to the inside without problem, However, my question is
How can I access the management port from inside/outside using VPN?
In other words, I need my management workstation located in inside/outside be able to run ASDM to access the ASA management port.
Any advise step by step
Thank you
12-08-2017 07:33 AM
To access the management interface of the ASA through VPN you need the following:
management-access management
nat (management,outside) source static obj-192.168.1.0_23 obj-192.168.1.0_23 destination static obj-remote-vpn obj-remote-vpn no-proxy-arp route-lookup
ssh <remote-vpn> <mask> management
Unfortunately you will not be able to access the management interface from an inside IP (172.10.1.0/24).
Traffic needs to arrive to the ASA on the management interface to be able to reach it. (exception VPN).
12-15-2017 12:33 PM
Hi Bogdan,
I believe, I can access the ASA management port from inside.
I saw this had implemented in one of the company branch. I believe I will need a L3
12-15-2017 09:47 PM
First ensure that your management /23 subnet is included in your VPN tunnel. (i.e. either you are using "tunnelall" or the ACL referenced in "tunnelspecified" includes that network).
Next you have to override the normal routing behavior on the ASA. Normally it would think that the egress interface for the management subnet would be the management interface since it is connected and this has an administrative distance (AD) of 0. You can override that with a static route (AD =1) to a more specific set of subnets - i.e. a static route to the two /24s that comprise your /23. Set that static route to be an internal gateway (L3 switch or router) that has knowledge of how to route to both the ASA inside and management interfaces.
Finally make sure the ASA has a route for management interface that knows to use that same gateway for return traffic to the VPN client address pool
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide