Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Can't access management interface via vpn connection

Hi all,

I can't seem to be able to manage my ASA 5510 when I connect via vpn. My asa sits at a remote colo, and from my office i can connect fine. I have it configured as management-access (dmz), bc as of now we are just doing some staging and all the servers are in the dmz interface.

When i connect with the vpn client, in the routes it sees 192.168.1.0 255.255.255.0 which is the management network/interface.

For some reason I can't get access to 192.168.1.1 to use the ASDM.

Here is how i did my vpn via CLI

isakmp enable outside

isakmp identity address

isakmp policy 10

authentication pre-share

encryption des

hash md5

group 2

lifetime 86400

ip local pool vpnpool 10.1.1.2-10.1.1.10

access-list split_tunnel standard permit 192.168.200.0 255.255.255.0

access-list split_tunnel standard permit 192.168.100.0 255.255.255.0

access-list split_tunnel standard permit 192.168.1.0 255.255.255.0

group-policy xxxxx internal

group-policy xxxxx attributes

dns value

split-tunnel-policy tunnelspecified

split-tunnel-network-list value split_tunnel

username xxxxx password

username xxxxxx attributes

vpn-group-policy xxxx

username xxxxxx password

username xxxxxx attributes

vpn-group-policy xxxx

username xxxx password

username xxxx attributes

vpn-group-policy xxxx

tunnel-group xxxx type ipsec-ra

tunnel-group xxxx general-attributes

address-pool vpnpool

tunnel-group xxxx ipsec-attributes

pre-shared-key

access-list vpnra permit ip 192.168.200.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list vpnra permit ip 192.168.100.0 255.255.255.0 10.1.1.0 255.255.255.0

access-list vpnra permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0

nat (inside) 0 access-list vpnra

nat (dmz) 0 access-list vpnra

nat (management) 0 access-list vprna

crypto ipsec transform-set md5des esp-des esp-md5-hmac

crypto dynamic-map dynomap 10 set transform-set md5des

crypto map vpnpeer 20 ipsec-isakmp dynamic dynomap

crypto map vpnpeer interface outside

Any help would be much appreciated

4 REPLIES
New Member

Re: Can't access management interface via vpn connection

it seems like you are missing a line:

management-access "interface"

http://www.cisco.com/en/US/docs/security/asa/asa71/command/reference/m_711.html#wp1631964

New Member

Re: Can't access management interface via vpn connection

no I have that in there. see my first few lines. I configured management-access (dmz)

still can't use asdm through vpn. Could it be b/c of split tunneling is enabled or a binding issue? Not sure how to go about troubleshooting it.

Thanks for the reply

New Member

Re: Can't access management interface via vpn connection

anyone? Still can't get access, it's very frustrating as it seems like a simple thing yet it's not working

New Member

Re: Can't access management interface via vpn connection

Any luck on this? I have SSH access to the ASA when VPNing to that ASA, however, I cannot get to ASDM. I can get to ASDM from the inside. I do have my:

http 192.168.1.0 255.255.255.0 inside

management-access inside

Thanks!

446
Views
0
Helpful
4
Replies