Cannot Manage ASA via AnyConnect VPN

KB ID 0000925 

Problem

I haven’t needed to use my AnyConnect for a long time. But this week I needed to spin up some test servers. I connected fine, but I could not access the ASA via telnet, SSH or ASDM.

Solution

1. Traditionally all you needed to do to manage an ASA from a remote VPN session, was to set the management-access to inside.

[box]

User Access Verification

Password:
Type help or '?' for a list of available commands.
Petes-ASA> enable
Password: ********
Petes-ASA# configure terminal
Petes-ASA(config)# management-access inside

[/box]

2. Post version 8.3 you also need to have the route-lookup keyword on the end of the NAT statement (the one that stops the remote VPN subnet being NATTED).

[box]

PetesASA# show run nat
nat (inside,outside) source static any any destination static NETWORK_OBJ_10.253.253.0_24 NETWORK_OBJ_10.253.253.0_24 no-proxy-arp route-lookup

[/box]

3. Finally make sure you have the same-security-traffic permit intra-interface command enabled.

[box]

Petes-ASA# configure terminal
PetesASA(config)# same-security-traffic permit intra-interface

[/box]

Related Articles, References, Credits, or External Links

NA