ASA 5512X - need help accessing ASDM/SSH from inside VPN

My VPN access is fine, but when I try to SSH/ASDM while on the VPN, nothing is getting contacted. What's missing from the (san-o-tized) config below?

Thank you!


*************************

: Saved
:
ASA Version 9.1(2)
!
hostname
enable password
names
ip local pool VPNPool 192.168.199.100-192.168.199.200 mask 255.255.255.0
!
interface GigabitEthernet0/0
 description
 nameif TWCF
 security-level 0
 ip address  
!
interface GigabitEthernet0/1
 nameif Cable
 security-level 0
 ip address
!
interface GigabitEthernet0/2
 description inside
 nameif inside
 security-level 100
 ip address 192.168.24.1 255.255.255.0
!
interface GigabitEthernet0/3
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/4
 shutdown
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/5
 shutdown
 no nameif
 no security-level
 no ip address
!
interface Management0/0
 management-only
 nameif management
 security-level 100
 ip address 192.168.1.1 255.255.255.0
!
boot system disk0:/asa912-smp-k8.bin
ftp mode passive
clock timezone
clock summer-time recurring
object network obj-192.168.24.0
 subnet 192.168.24.0 255.255.255.0
object network obj-192.168.199.0
 subnet 192.168.199.0 255.255.255.0
access-list split-tunnel extended permit ip 192.168.24.0 255.255.255.0 192.168.199.0 255.255.255.0
access-list TWCF_access_in extended permit ip object obj-192.168.199.0 any
access-list inside_access_in extended permit ip object obj-192.168.199.0 any
access-list inside_access_in extended permit ip object obj-192.168.24.0 any
pager lines 24
logging asdm informational
mtu TWCF 1500
mtu Cable 1500
mtu inside 1500
mtu management 1500
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-713.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
nat (inside,TWCF) source static obj-192.168.24.0 obj-192.168.24.0 destination static obj-192.168.199.0 obj-192.168.199.0
!
nat (inside,TWCF) after-auto source dynamic any interface
nat (inside,Cable) after-auto source dynamic any interface
access-group TWCF_access_in in interface TWCF control-plane
access-group inside_access_in in interface inside control-plane
route TWCF 0.0.0.0 0.0.0.0 1 track 1
route Cable 0.0.0.0 0.0.0.0 254
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.24.0 255.255.255.0 inside
http 192.168.199.0 255.255.255.0 TWCF
http 192.168.199.0 255.255.255.0 inside
http 0.0.0.0 0.0.0.0 TWCF
http 0.0.0.0 0.0.0.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
sla monitor 123
 type echo protocol ipIcmpEcho  interface TWCF
 num-packets 3
 timeout 3000
 frequency 5
sla monitor schedule 123 life forever start-time now
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto map TWCF_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map TWCF_map interface TWCF
crypto map Cable_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Cable_map interface Cable
crypto ca trustpool policy
crypto ikev1 enable TWCF
crypto ikev1 enable Cable
crypto ikev1 policy 10
 authentication crack
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 20
 authentication rsa-sig
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 30
 authentication pre-share
 encryption aes-256
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 40
 authentication crack
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 50
 authentication rsa-sig
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 60
 authentication pre-share
 encryption aes-192
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 70
 authentication crack
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 80
 authentication rsa-sig
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 90
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 100
 authentication crack
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 110
 authentication rsa-sig
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 120
 authentication pre-share
 encryption 3des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 130
 authentication crack
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 140
 authentication rsa-sig
 encryption des
 hash sha
 group 2
 lifetime 86400
crypto ikev1 policy 150
 authentication pre-share
 encryption des
 hash sha
 group 2
 lifetime 86400
!
track 1 rtr 123 reachability
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 TWCF
ssh 192.168.24.0 255.255.255.0 inside
ssh 192.168.199.0 255.255.255.0 inside
ssh 192.168.1.0 255.255.255.0 management
ssh 0.0.0.0 0.0.0.0 management
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
dhcpd address 192.168.24.100-192.168.24.200 inside
dhcpd dns  interface inside
dhcpd enable inside
!
dhcpd address 192.168.1.2-192.168.1.254 management
dhcpd enable management
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption rc4-sha1 aes128-sha1 aes256-sha1 3des-sha1
group-policy DfltGrpPolicy attributes
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value split-tunnel
username password encrypted privilege 15
tunnel-group DefaultRAGroup general-attributes
 address-pool (TWCF) VPNPool
tunnel-group DefaultRAGroup ipsec-attributes
 ikev1 pre-shared-key *****
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny  
  inspect sunrpc
  inspect xdmcp
  inspect sip  
  inspect netbios
  inspect tftp
  inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:d6223b7e6b4d2b3fb4124c9b125bf571
: end
asdm image disk0:/asdm-713.bin
no asdm history enable
LVL 1
d4nnyoAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
can you add the below command and try

ASA(config)# management-access inside
d4nnyoAuthor Commented:
That line is already in the config -- see this section:

track 1 rtr 123 reachability
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 TWCF
ssh 192.168.24.0 255.255.255.0 inside
ssh 192.168.199.0 255.255.255.0 inside
ssh 192.168.1.0 255.255.255.0 management
ssh 0.0.0.0 0.0.0.0 management
ssh timeout 5
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
management-access inside
dhcpd address 192.168.24.100-192.168.24.200 inside
dhcpd dns  interface inside
dhcpd enable inside
NetExpert Network Solutions Pte LtdTechnical SpecialistCommented:
can you try to change the below line from

nat (inside,TWCF) source static obj-192.168.24.0 obj-192.168.24.0 destination static obj-192.168.199.0 obj-192.168.199.0

to

nat (inside,TWCF) source static obj-192.168.24.0 obj-192.168.24.0 destination static obj-192.168.199.0 obj-192.168.199.0  route-lookup

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Get Cisco Certified in IT Security

There’s a high demand for IT security experts and network administrators who can safeguard the data that individuals, corporations, and governments rely on every day. Pursue your B.S. in Network Operations and Security and gain the credentials you need for this high-growth field.

Pete LongTechnical ConsultantCommented:
^^^ This is what usually trips me up,  - thats what my money is on :)
Remote ASA Management via VPN
DO NOT ACCEPT THIS COMMENT!


Pete
d4nnyoAuthor Commented:
Hi Pete,

What do you mean by "DO NOT ACCEPT THIS COMMENT?"
d4nnyoAuthor Commented:
Pete -- I see, understood. Assuming the resolution works, I'll apply points to the commenter above your remark.
Pete LongTechnical ConsultantCommented:
The poster above me supplied the correct resolution :)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.