Thanks.

I did that and i can access and manage the ASA at the outside interface.

But, can we access the management interface from the outside when i'm connected to the router through RA IPSec VPN?

I think if you enabled split-tunneling, you should be able to do it.

As you know, split tunneling allows to surf the internet, and simultaneously access your corporate network.

With this, you can always access your outside interface directly (via HTTPS or SSH), as if no VPN is used. At the same time, with VPN, you're logically sitting in your corporate network.

Similar setup was tested before which works fine, but completely disabled later due to security policy (recommendation).

HTH

AK

Thanks.

But i'm accessing the outside interface of the ASA through the tunnel since it is private IP (the public IP address at the dailer interface at the router). And i'm using split tunneling.

which setup tested before you mean? the outside management or accessing the management interface from the outside?

Thanks in advance

Abd Alqader

We test the management part of PIX via VPN using 'management-access' command and normal HTTPS/SSH access from internet to outside interface. This works fine.

But if you want to access the outside interface via the tunnel itself, I don't think it might work. This is because you are assigned with internal private IP when you successfully connect via VPN. If you need to manage your Firewall, then this is where the 'management-access' command helps you/network admin.

As you know, in PIX, you can't access or even ping interface that is not directly connected to your segment, i.e inside host cannot ping outside/dmz interface IP.

The only option is either access the PIX via your directly connected interface, or if it's from outside/internet, you have to go in via outside interface. Same goes to VPN access, you're only allowed to go via inside interface.

HTH

AK

The Cisco ADSL router terminate IPSec VPN tunnels, and i can access the outside interface when change the management access to outside. this is OK.

But my question, when i'm connected and asigned private ip address from the router pool, i tried to access the dedicated management interface at the ASA but i can't, and from the log messages, the packets were dropped, it seems the ASA assume this is normal traffic "not only management traffic" and drop it. but, when i tried from local network through the inside interface it works fine.

Note: i opened the required ports from my assigned ip address to the management interface at the access list applied at the outside interface.

Anyway, thank you, and i think the best solution is to enable the management access at the outside interface in order to support this customer.

Abd Alqader