I had a new office set-up in Sao Paulo/Brazil and found a bug what should be already fixed but still exists. You cannot access the management interface (inside) of your ASA when you come over an L2L/RemoteAccess VPN and your NAT statements overlaps the management ip address.
It’s an split-tunneling configuration where VPN traffic keeps the original IP address and when you go into the internet you will translated to the outside IP address. Have a look here at the cisco bug CSCtr16184
I used the following config what didn’t work:
nat (inside,outside) source static inside-subs inside-subs destination static vpn-subs vpn-subs
When you use the NAT statements described in the workaround it works fine:
nat (inside,outside) source static inside-subs inside-subs destination static vpn-subs vpn-subs route-lookup nat (outside,inside) source static vpn-subs vpn-subs destination static inside-subs inside-subs route-lookup
This behavior should be already fixed in version 8.4(2.3) but in my 8.4(4)1 it still exists.
Here the bug details from Cisco:
To-the-box traffic fails from hosts over vpn after upgrade to 8.4.2.
Symptom:
After upgrading the ASA to 8.4.2, all management traffic to-the-box(including icmp/telnet/ssh/ASDM) from hosts over the VPN (L2L or Remote ACcess VPN) may fail when destined to the management-access interface IP address.
Conditions:
1. Issue is observed if ASA is on 8.4.2. Not observed on 8.4.1.
2. Users directly connected to the internal interfaces face no issues with icmp/telnet/ssh/asdm to their respective interfaces.
Workaround:
The problem can be traced to a Manual NAT statement that overlaps with the management-access interface IP address. The NAT statement must have both the source and destination fields. Adding the “route-lookup” keyword at the end of the NAT statement resolves the issue.