management of ASA over VPN

[mdc1973]

Probably an easy one for someone to answer, I'm just looking for confirmation really.

Got a VPN between two ASA 5510s which works fine. I want to manage the remote ASA via the inside interface, so will add the 'management-access inside' command.

However, I imagine i will also need to add ssh and http rules to allow my IP to manage the device via the inside interface?

eg no ssh 1.1.1.1 255.255.255.255 outside
ssh 1.1.1.1 255.255.255.255 inside

Also, I want to authenticate via TACACS+- all the aaa-server config is already in place, so I should just need to change the aaa auth setting to point to my tacacs group rather than LOCAL..?

 

[jdeisenm]

Here is the tacacs config

aaa-server AAA_GROUP protocol tacacs+
aaa-server AAA_GROUP host 10.10.10.x
timeout 5
key myKey
aaa authentication ssh console AAA_GROUP LOCAL
aaa authentication enable console AAA_GROUP LOCAL
aaa authentication serial console AAA_GROUP LOCAL

Here is the management config.

ssh 0.0.0.0 0.0.0.0 inside
ssh 0.0.0.0 0.0.0.0 outside (you can adjust this for your specific network)
ssh timeout 60
console timeout 0
management-access inside