Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Bronze

ASA management

Hi,

I have Cisco 877W ADSL router installed in front of Cisco ASA 5510, this router terminate Remote Access IPSec VPN tunnels.

The PIX does not do NAT since the router do that.

I can access the management IP address through inside, but when i connect using IPSec VPN to the router, i can't access the ASA management interface.

i have the following log message:

%ASA-4-418001: Through-the-device packet to/from management-only network is deni

ed: tcp src outside:x.x.x./1436 dst management:y.y.y.y/9090

My question, can we access the management interface through the outside interface(R.A IPSec VPN and intiate that connection)?

Note: NO nat-control is enabled at the ASA.

Thanks in advance

Abd Alqader

6 REPLIES

Re: ASA management

To allow management access to an interface other than the one from which you entered the security appliance when using IPSec VPN, use the 'management-access' command in global configuration mode.

ASA(config)# management-access

Example:

ASA(config)# management-access outside

HTH

AK

Bronze

Re: ASA management

Thanks.

I did that and i can access and manage the ASA at the outside interface.

But, can we access the management interface from the outside when i'm connected to the router through RA IPSec VPN?

Re: ASA management

I think if you enabled split-tunneling, you should be able to do it.

As you know, split tunneling allows to surf the internet, and simultaneously access your corporate network.

With this, you can always access your outside interface directly (via HTTPS or SSH), as if no VPN is used. At the same time, with VPN, you're logically sitting in your corporate network.

Similar setup was tested before which works fine, but completely disabled later due to security policy (recommendation).

HTH

AK

Bronze

Re: ASA management

Thanks.

But i'm accessing the outside interface of the ASA through the tunnel since it is private IP (the public IP address at the dailer interface at the router). And i'm using split tunneling.

which setup tested before you mean? the outside management or accessing the management interface from the outside?

Thanks in advance

Abd Alqader

Re: ASA management

We test the management part of PIX via VPN using 'management-access' command and normal HTTPS/SSH access from internet to outside interface. This works fine.

But if you want to access the outside interface via the tunnel itself, I don't think it might work. This is because you are assigned with internal private IP when you successfully connect via VPN. If you need to manage your Firewall, then this is where the 'management-access' command helps you/network admin.

As you know, in PIX, you can't access or even ping interface that is not directly connected to your segment, i.e inside host cannot ping outside/dmz interface IP.

The only option is either access the PIX via your directly connected interface, or if it's from outside/internet, you have to go in via outside interface. Same goes to VPN access, you're only allowed to go via inside interface.

HTH

AK

Bronze

Re: ASA management

The Cisco ADSL router terminate IPSec VPN tunnels, and i can access the outside interface when change the management access to outside. this is OK.

But my question, when i'm connected and asigned private ip address from the router pool, i tried to access the dedicated management interface at the ASA but i can't, and from the log messages, the packets were dropped, it seems the ASA assume this is normal traffic "not only management traffic" and drop it. but, when i tried from local network through the inside interface it works fine.

Note: i opened the required ports from my assigned ip address to the management interface at the access list applied at the outside interface.

Anyway, thank you, and i think the best solution is to enable the management access at the outside interface in order to support this customer.

Abd Alqader

399
Views
0
Helpful
6
Replies
CreatePlease to create content