Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Accessing hosts on the Management network from a VPN client

Hi there,

I have the following setup on my ASA 5520

Public interface - 100 - 202.xx.xx.xx

Private - 0 - 172.24.16.200/24

Management - 0 - 172.19.120.27/24

Issue:

From a VPN client, I can ping any host on the management network (172.19.120.0/24), because I have removed the "management only" option. However, I can't really do anything on those hosts (RDP, http, etc) apart from ping.

Checking the logs, this is what I get, when I try to RDP to a host on the Mgt network:

6Jan 20 201023:40:52106015172.19.120.113389172.24.206.11894Deny TCP (no connection) from 172.19.120.11/3389 to 172.24.206.1/1894 flags SYN ACK on interface Private

What are my options? I can think of two:

  • Create another Management VLAN
  • Disable Management interface and use inside for management.

  • Any advise would be helpfull.
2 REPLIES

Re: Accessing hosts on the Management network from a VPN client

From log, it looks like the SYN ACK was received on Private interface. But the SYN packet from vpn client to the host .11 should be sent out from management interface. What is the default gateway configured on the host in managment network 172.19.120.0/24, can you make sure it is pointed to managment interface on ASA.

New Member

Re: Accessing hosts on the Management network from a VPN client

I can't tell from the post without seeing the configs, but you may need to add an ACL entry on one of the interfaces and/or a static nat translation for the VPN segment since you are passing traffic from a lower to a higher security level interface.

282
Views
0
Helpful
2
Replies