anyconnect sessions does not reach the inside interfaces of the ASA

alexdelangel · ‎09-23-2014

Hello friends,

I have finished the configuration of an anyconnect profile, and it is working pretty well, I can reach my whole network resources. The only problema is that I can not ping the inside interface of my ASA, or SSH to my inside interface.

I clearly understand that anyconnect sessions arrives at the outside interface of the ASA, so I just want to know if this is a normal behavior of the ASA, to can not ping the another interfaces.

Anyway I can reach my ASA through the outside interface, I just want to know if this behavior is normal.

Regards!

Jouni Forss · ‎09-25-2014

Hi,

Typically the ASA wont let you access its ports if the connecting host is located behind another interface of the ASA which is the situation in your case.

However, for VPN use ASA has a command that allows connections for management purposes to one interface if the connection is coming through a VPN connection.

So for the interface you want to access through VPN you will have to have this command

management-access <interface nameif>

Naturally the interface IP address has be part of the VPN configurations. Though if the LAN is directly connected without any routers in between this should already be true.

Let me know if this corrects the problem.

Hope this helps :)

- Jouni

alexdelangel · ‎09-26-2014

Hello Jouni,

Thnaks for your answer, and I am sorry for my delay about answering your comment, but it did not correct the problem. The single LAN is directly connected. I would like to disable the SSH access of the outside interface, that is why I am requesting some help.

I have issued the "route-lookup" statement to the nat rule, and now I am able to ping and manage the inside interface of my ASA through anyconnect sessions.

Regards!