Configuring remote management, Vpnclient management – Cisco ASA 5505 User Manual
Page 1567
71-9
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter 71 Configuring Easy VPN Services on the ASA 5505
Configuring Remote Management
The next example provides greater security but less flexibility because it exempts one specific Cisco IP
phone:
hostname(config)# vpnclient mac-exempt 0003.6b54.b213 ffff.ffff.ffff
hostname(config)#
Note
Make sure you have Individual User Authentiction and User Bypass configured on the headend
device. For example, if you have the ASA as the headend, configure the following under group
policy:
hostname(config-group-policy)#user-authentication enable
hostname(config-group-policy)#ip-phone-bypass enable
Configuring Remote Management
The Cisco ASA 5505, operating as an Easy VPN hardware client, supports management access using
SSH or HTTPS, with or without a second layer of additional encryption. You can configure the Cisco
ASA 5505 to require IPsec encryption within the SSH or HTTPS encryption.
Use the vpnclient management clear command in global configuration mode to use normal routing to
provide management access from the corporate network to the outside interface of the ASA 5505
(no tunneling management packets).
Caution
Do not configure a management tunnel on a Cisco ASA 5505 configured as an Easy VPN
hardware client if a NAT device is operating between the Easy VPN hardware client and the
Internet. In that configuration, use the vpnclient management clear command.
Use the vpnclient management tunnel command in global configuration mode if you want to automate
the creation of IPsec tunnels to provide management access from the corporate network to the outside
interface of the ASA 5505. The Easy VPN hardware client and server create the tunnels automatically
after the execution of the vpnclient server command. The syntax of the vpnclient management tunnel
command follows:
vpnclient management tunnel ip_addr_1 ip_mask_1 [ip_addr_2 ip_mask_2...ip_addr_n ip_mask_n]
Note
Regardless of your configuration, DHCP requests (including renew messages) should not flow
over IPsec tunnels. Even with a vpnclient management tunnel, DHCP traffic is prohibited.
For example, enter the following command to automate the creation of an IPsec tunnel to provide
management access to the host with IP address 192.168.10.10:
hostname(config)# vpnclient management tunnel 192.198.10.10 255.255.255.0
hostname(config)#
The no form of this command sets up IPsec for management tunnels in accordance with the
split-tunnel-policy and split-tunnel-network-list commands.
no vpnclient management
For example: