Cisco ASA Series Cli Configuration Manual page 1007

Chapter 1 Configuring Management Access
Configuring Management Access Over a VPN Tunnel
If your VPN tunnel terminates on one interface, but you want to manage the ASA by accessing a different
interface, you can identify that interface as a management-access interface. For example, if you enter the
ASA from the outside interface, this feature lets you connect to the inside interface using ASDM, SSH,
Telnet, or SNMP; or you can ping the inside interface when entering from the outside interface.
Management access is available via the following VPN tunnel types: IPsec clients, IPsec site-to-site, and
the AnyConnect SSL VPN client.
This section includes the following topics:
•
•
•
Licensing Requirements for a Management Interface
The following table shows the licensing requirements for this feature:
Model License Requirement
All models Base License.
Guidelines and Limitations
This section includes the guidelines and limitations for this feature.
Context Mode Guidelines
Supported in single mode.
Firewall Mode Guidelines
Supported in routed mode.
IPv6 Guidelines
Supports IPv6.
Additional Guidelines
You can define only one management access interface.
Note
For the configurations that follow, 192.168.10.0/24 is the VPN pool for AnyConnect or IPsec VPN
clients. Each configuration allows VPN client users to connect to ASDM or SSH to the ASA using the
management interface IP address.
To allow only VPN client users access to ASDM or HTTP (and deny access to all other users), enter the
following commands:
hostname(config)# http server enable
hostname(config)# http 192.168.10.0 255.255.255.0 management_interface
Licensing Requirements for a Management Interface, page 1-13
Guidelines and Limitations, page 1-2
Configuring a Management Interface, page 1-14
Configuring Management Access Over a VPN Tunnel
Cisco ASA Series CLI Configuration Guide
1-13