topic Routing on mgmt interface in Network Security

Routing on mgmt interface

h.dam — Fri, 21 Feb 2020 15:23:12 GMT

Hello ,

I'm setting up a pair of A/P failover asa 5525-X with v9.8.

I learned that the mgmt interface uses another routing table (from a post elsewhere).

I also have SFR module using this same interface.

My question is:

Can I use this mgmt interface to route inside or outside traffic?

eg. route management 10.1.20.0 255.255.255.0 10.1.16.254

interface management0/0

nameif management

security-level 100

ip add 10.1.16.1 255.255.255.0

interface g0/1

nameif dmz

security-level 50

ip add 10.1.14.1 255.255.255.0

(10.1.16.254 = GW of management vlan)

Thanks.

Re: Routing on mgmt interface

John Telford — Tue, 20 Feb 2018 22:38:42 GMT

ASA cannot use the management interface if the SFR is being used.

The quick start guide for the 5525-x explains how the interfaces behave quite well I found:

https://www.cisco.com/c/en/us/td/docs/security/asa/quick_start/5500X/5500x_quick_start.html

Go through the doc but a snip from it:

Management 0/0 belongs to the ASA FirePOWER module. The interface is Up, but otherwise unconfigured on the ASA. The ASA FirePOWER module can then use this interface to access the ASA inside network and use the inside interface as the gateway to the Internet.

Note: Do not configure an IP address for this interface in the ASA configuration. Only configure an IP address in the FirePOWER configuration. You should consider this interface as completely separate from the ASA in terms of routing.

ASDM access on the inside interface

NAT : Interface PAT for all traffic from inside and management to outside.

Note: If you want to deploy a separate router on the inside network, then you can route between management and inside. In this case, you can manage both the ASA and ASA FirePOWER module on Management 0/0 with the appropriate configuration changes.

Treat the SFR as a 'separate' appliance that uses the management port to connect (for SFR management). Once you get Firepower configured you can add routes in the firepower interface (ASDM or FMC or the SFR CLI)

If you are NOT going to use the SFR module then you CAN use the management interface in the ASA configuration.

You should also disable the SFR module in the config see https://www.cisco.com/c/en/us/td/docs/security/asa/asa93/configuration/firewall/asa-firewall-cli/modules-sfr.html#pgfId-1486644

correct for showing management routes, "show route management-only" always takes me a few tries of show route x.x.x.x before I remember.

Regards

Re: Routing on mgmt interface

h.dam — Thu, 22 Feb 2018 18:37:29 GMT

Its clear in the explanation. I keep mgmt interface only for SFR.

Thanks very much.