Cannot Manage ASA via AnyConnect VPN
KB ID 0000925 Dtd 08/03/14
Problem
I haven't needed to use my AnyConnect for a long time. But this week I needed to spin up some test servers. I connected fine, but I could not access the ASA via telnet, SSH or ASDM.
Solution
1. Traditionally all you needed to do to manage an ASA from a remote VPN session, was to set the management-access to inside.
User Access Verification
Password:
Type help or '?' for a list of available commands.
Petes-ASA> enable
Password: ********
Petes-ASA# configure terminal
Petes-ASA(config)# management-access inside
Password:
Type help or '?' for a list of available commands.
Petes-ASA> enable
Password: ********
Petes-ASA# configure terminal
Petes-ASA(config)# management-access inside
2. Post version 8.3 you also need to have the route-lookup keyword on the end of the NATstatement (the one that stops the remote VPN subnet being NATTED).
PetesASA# show run nat
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.253.253.0_24 NETWORK_OBJ_10.253.253.0_24 no-proxy-arp route-lookup
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.253.253.0_24 NETWORK_OBJ_10.253.253.0_24 no-proxy-arp route-lookup
3. Finally make sure you have the same-security-traffic permit intra-interface command enabled.
Petes-ASA# configure terminal
PetesASA(config)# same-security-traffic permit intra-interface
PetesASA(config)# same-security-traffic permit intra-interface
No comments:
Post a Comment