management of ASA not working over vpn tunnel HELP!

[Hamper19]

Hi folks, I set up my ASA 5510 recently and everything is working fine, EXCEPT management access over the vpn tunnel.

I can VPN in fine, get to my dmz, internal etc. Can get out through split tunneling. All interfaces can get to the web with no problem etc.

From what i understand it should have been simply to issue the management-access inside command which i've done and no luck. Any help would seriously be appreciated. My datacenter is all the way downtown and right now i have to take subway trips to do any config changes. Annoying.

Below is the config

ASA Version 7.2(2)
!

!
interface Ethernet0/0
nameif fpm_outside
security-level 0
ip address x.x.x.x x.x.x.x
!
interface Ethernet0/1
nameif fpm_dmz
security-level 50
ip address 192.168.200.1 255.255.255.0
!
interface Ethernet0/2
nameif fpm_inside
security-level 80
ip address 192.168.100.1 255.255.255.0
!
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
boot system disk0:/asa722-k8.bin
boot system disk0:/asa712-k8.bin
boot system disk0:/asa708-k8.bin
ftp mode passive
clock timezone EST -5
clock summer-time EDT recurring
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object-group network DMZ_Servers
network-object host 192.168.200.100
network-object host 192.168.200.50
access-list fpm_outside_access_in extended permit tcp any any eq www
access-list fpm_outside_access_in extended permit tcp any any eq 1935
access-list fpm_outside_access_in extended permit tcp any any eq https
access-list fpm_outside_access_in extended permit tcp any any eq 8080
access-list fpm_outside_access_in extended permit tcp any any eq ssh
access-list fpm_outside_access_in extended permit icmp any any
access-list fpm_outside_access_in extended permit udp any any
access-list split_tunnel standard permit 192.168.200.0 255.255.255.0
access-list split_tunnel standard permit 192.168.100.0 255.255.255.0
access-list split_tunnel standard permit 192.168.1.0 255.255.255.0
access-list vpnra extended permit ip 192.168.200.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list vpnra extended permit ip 192.168.100.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list vpnra extended permit ip 192.168.1.0 255.255.255.0 10.1.1.0 255.255.255.0
access-list vpnra extended permit ip 192.168.100.0 255.255.255.0 192.168.200.0 255.255.255.0
access-list vpnra extended permit ip 192.168.200.0 255.255.255.0 192.168.100.0 255.255.255.0
access-list fpm_inside_access_in extended permit tcp 192.168.200.0 255.255.255.0 any eq 3260
access-list fpm_inside_access_in extended permit tcp 192.168.200.0 255.255.255.0 eq https any eq https inactive
access-list fpm_inside_access_in extended permit tcp 192.168.200.0 255.255.255.0 any eq

http://www inactive

access-list fpm_inside_access_in extended permit tcp 192.168.200.0 255.255.255.0 any eq 1433
access-list fpm_inside_access_in extended permit tcp 192.168.200.0 255.255.255.0 eq 1433 any
access-list fpm_inside_access_in extended permit ip any any
access-list fpm_inside_access_in extended deny tcp any any eq smtp
access-list fpm_dmz_access_in extended permit tcp any any eq https
access-list fpm_dmz_access_in extended permit tcp any any eq www
access-list fpm_dmz_access_in extended permit tcp any any eq 8080
access-list fpm_dmz_access_in extended permit tcp any any eq 1935
access-list fpm_dmz_access_in extended permit tcp any any eq ssh
access-list fpm_dmz_access_in extended permit tcp any any eq 1433
access-list fpm_dmz_access_in extended permit tcp any eq 1433 any
access-list fpm_dmz_access_in extended deny tcp any any eq smtp
access-list fpm_dmz_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu fpm_outside 1500
mtu fpm_dmz 1500
mtu fpm_inside 1500
mtu management 1500
ip local pool vpnpool 10.1.1.2-10.1.1.10
no failover
monitor-interface fpm_outside
monitor-interface fpm_dmz
monitor-interface fpm_inside
monitor-interface management
icmp unreachable rate-limit 1 burst-size 1
icmp permit any fpm_outside
icmp permit any fpm_dmz
icmp permit any fpm_inside
asdm image disk0:/asdm-523.bin
no asdm history enable
arp timeout 14400
nat-control
global (fpm_outside) 200 interface
nat (fpm_dmz) 0 access-list vpnra
nat (fpm_inside) 0 access-list vpnra
nat (fpm_inside) 200 0.0.0.0 0.0.0.0
nat (management) 0 access-list vpnra
nat (management) 0 0.0.0.0 0.0.0.0
static (fpm_dmz,fpm_outside) x.x.x.x 192.168.200.50 netmask 255.255.255.255
static (fpm_dmz,fpm_outside) x.x.x.x 192.168.200.100 netmask 255.255.255.255
static (fpm_dmz,fpm_outside) x.x.x.x 192.168.200.151 netmask 255.255.255.255
static (fpm_dmz,fpm_outside) x.x.x.x 192.168.200.101 netmask 255.255.255.255
access-group fpm_outside_access_in in interface fpm_outside
access-group fpm_dmz_access_in in interface fpm_dmz
access-group fpm_inside_access_in in interface fpm_inside
route fpm_outside 0.0.0.0 0.0.0.0 64.1.25.97 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
group-policy DfltGrpPolicy attributes
banner none
wins-server none
dns-server value (value)
dhcp-network-scope none
vpn-access-hours none
vpn-simultaneous-logins 3
vpn-idle-timeout 30
vpn-session-timeout none
vpn-filter none
vpn-tunnel-protocol IPSec l2tp-ipsec webvpn
password-storage disable
ip-comp disable
re-xauth disable
group-lock none
pfs disable
ipsec-udp disable
ipsec-udp-port 10000
split-tunnel-policy tunnelall
split-tunnel-network-list none
default-domain none
split-dns none
intercept-dhcp 255.255.255.255 disable
secure-unit-authentication disable
user-authentication disable
user-authentication-idle-timeout 30
ip-phone-bypass disable
leap-bypass disable
nem disable
backup-servers keep-client-config
msie-proxy server none
msie-proxy method no-modify
msie-proxy except-list none
msie-proxy local-bypass disable
nac disable
nac-sq-period 300
nac-reval-period 36000
nac-default-acl none
address-pools none
client-firewall none
client-access-rule none
webvpn
functions url-entry
html-content-filter none
homepage none
keep-alive-ignore 4
http-comp gzip
filter none
url-list none
customization value DfltCustomization
port-forward none
port-forward-name value Application Access
sso-server none
deny-message value Login was successful, but because certain criteria have not been met or due to some specific group policy, you do not have permission to use any of the VPN features. Contact your IT administrator for more information
svc none
svc keep-installer installed
svc keepalive none
svc rekey time none
svc rekey method none
svc dpd-interval client none
svc dpd-interval gateway none
svc compression deflate
group-policy freeplay internal
group-policy freeplay attributes
dns-server value (values)
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split_tunnel
username fpmadmin password P/f5uiZZ/GA/DN9N encrypted
username fpmadmin attributes
vpn-group-policy freeplay
username Alternet1 password tAqsQsVR6ZtrHgls encrypted
username Alternet1 attributes
vpn-group-policy freeplay
username Alternet2 password joHZwFFmYeQGIUKt encrypted
username Alternet2 attributes
vpn-group-policy freeplay
aaa authorization command LOCAL
http server enable
http 192.168.100.0 255.255.255.0 fpm_inside
http 192.168.100.51 255.255.255.255 fpm_inside
http 192.168.1.0 255.255.255.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec transform-set md5des esp-des esp-md5-hmac
crypto dynamic-map dynomap 10 set transform-set md5des
crypto map vpnpeer 20 ipsec-isakmp dynamic dynomap
crypto map vpnpeer interface fpm_outside
crypto isakmp identity address
crypto isakmp enable fpm_outside
crypto isakmp policy 2
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto isakmp policy 10
authentication pre-share
encryption des
hash md5
group 2
lifetime 86400
crypto isakmp nat-traversal 3600
tunnel-group freeplay type ipsec-ra
tunnel-group freeplay general-attributes
address-pool vpnpool
tunnel-group freeplay ipsec-attributes
pre-shared-key *
telnet timeout 5
ssh timeout 5
console timeout 0
management-access fpm_inside
dhcpd address 192.168.200.10-192.168.200.20 fpm_dmz
dhcpd dns xxxxx interface fpm_dmz
dhcpd enable fpm_dmz
!
dhcpd address 192.168.100.2-192.168.100.250 fpm_inside
dhcpd dns xxxxxxx interface fpm_inside
dhcpd enable fpm_inside
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
!
class-map inspection_default
match default-inspection-traffic
!

K

 

[North323]

maybe increase this a bit:
console timeout 0

are you using SSH? are you getting a specific error? can you post the error?

 

[North323]

forget about increasing the console timeout...i see the ssh timeout and telnet

 

[Hamper19]

My plan was to just connect over the vpn, and rdp to a management box on the inside interface, and manage everything from there. I was either going to use ASDM, or

https://192.168.1.1

Do I need to do it another way?

 

[Hamper19]

Also, no specific error in the logs. When i did a packet trace, via the ASDM it shows me it's an ACL issue but I don't see how.

I'm not at my dc right now i'm back in the office, so any kind of input i get I will use tomorrow when i head down there.

 

[North323]

i had a similar situation a while back (not exactly like yours) but....

http://www.tek-tips.com/viewthread.cfm?qid=1524679&page=4

I had to upgrade to version 8.04

 

[Hamper19]

how would you enable ssh and then how do you use ssh, with something like putty? I've never used ssh much.

Taking my config above, what command would I issue to enable ssh and try to ssh to the asa?

thanks for your help so far.

 

[unclerico]

aaa authentication ssh console LOCAL
aaa authentication ssh enable LOCAL

username blah password blah priv 15

crypto key gen rsa mod 1024

ssh 10.1.1.0 255.255.255.240 inside

So the above enables you to access the appliance via SSH. The first two lines use the local user database for credentials hence the username/password line right underneath. If you have RADIUS or TACACS+ then you can alter it to use those protocols, but then you'll need to set up a server group with the appropriate protocol. The last line in the config allows 10.1.1.1 - 10.1.1.14 to access the inside interface for ssh connections.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[North323]

unclerico does it again!

 

[Hamper19]

So i would put in the code, then I would connect via vpn, and RDP to a box on the inside, and run ssh from that? Or would I be able to ssh right from my own machine once i connect to vpn? Would I just use something like putty?

 

[unclerico]

When you connect via RA VPN, you will use an ssh software such as putty or teraterm and connect to the inside interface.

I hate all Uppercase... I don't want my groups to seem angry at me all the time! =)
- ColdFlame (vbscript forum)

 

[Hamper19]

So use putty to connect to the Inside interface? What about the management interface?