For IPSec tunnels, you include the internal ip blocks in the crypto access lists - assume that 192.168.0.0/24 is in use at the remote site, and 192.168.0.1 is the inside interface of the remote pix. You cannot normally managed the pix by the ip address of the inside interface. This is especially troubling when the outside ip address is not included in the crypto access-lists (which is a good idea, as it may change, you might just not want it included, etc). To manage the remote pix, you then would either need to open ports in the firewall(s) to allow communication to the outside ip address, or adjust your crypto acl.
With the management access command, you can use the internal ip address for management purposes - ssh, snmp, etc. This is much cleaner to work with, as all mgmt traffic is included in the crypto acl that covers the entire site's internal netblock
Imagine you have 10 remote sites:
with the first ip being the outside, and the 2nd being the inside - it is much easy to remember each site by the internal ip address, rather than the often random external ip address.
So, for both configuration, and ease of remembrance purposes, the management-access command is handy
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :