topic Re: ASA - Management Network and Asymmetric Routing? in Network Security

ASA - Management Network and Asymmetric Routing?

Eric Snijders — Fri, 21 Feb 2020 14:44:08 GMT

Hi guys,

Consider the following topology:

Let's say PC1 is my "management" device or network.

- Both ASA's can reach eachother over the 2 different VLANS.

- The ASA's each "represent" 1 datacenter.

Now there is the following issue if i want to manage ASA-1 (ICMP/SSH/HTTPS):

If i create a static route on ASA-1 to the 10.0.0.0/24 network on it's VLAN50 interface:

- I can manage the VLAN50 interface on ASA-1 from PC1

- I can not manage the VLAN100 interface on ASA-1 from PC1 cause traffic is received on it's VLAN100 interface but send back out of it's VLAN50 interface which is not possible with ASA's (right?)

Vice versa if i create the static route on it's VLAN100 interface.

Now i'm in a environment where i can't easily edit all the routes since it's a production network. Basically i'm looking for the right / a good way to manage devices on the "far" side (including the ASA itself). How should i handle this when you're working with subinterfaces on a ASA?

Re: ASA - Management Network and Asymmetric Routing?

Bogdan Nita — Mon, 13 Nov 2017 13:08:06 GMT

I would try to separate networks for clients/servers and interconnects between network devices.

Besides the problem of accessing the ASA for management, you will have problems with accessibility of the host in the 50 and 100 network.

Let's consider the following example:

- you are trying to reach a host in the 192.168.50.0/24 network from PC1

- the host has ASA-1 as default gateway

PC1 will not be able to communicate with the host because the initial packet will reach the host via ASA-2, but th return packet will be sent via ASA-1, ASA-1 not having an entry for the initial packet will drop the response packet.

The above default behavior can be changed configuring TCP State Bypass:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118995-configure-asa-00.html

I would have only one ASA as default gateway for a network.

If redundancy is need you can set up a HA or a cluster.

If you have multiple L3 interconnect links, that should not be a problem, it would probably be a good idea to use dynamic routing protocol. For ASA management you can use an inside interface then.

Re: ASA - Management Network and Asymmetric Routing?

Flavio Miranda — Mon, 13 Nov 2017 13:11:13 GMT

Hi @Eric Snijders

Topology is not available. If I understood it right, you need to play with routing but I´d like to see your topology first.

-If I helped you somehow, please, rate it as useful.-

Re: ASA - Management Network and Asymmetric Routing?

Eric Snijders — Mon, 13 Nov 2017 13:22:40 GMT

Hi Bogdan,

Thanks for the reply and the provided information. What you are saying is basically the construction i'm dealing with:

- 2 Datacenters
- Both Datacenter with ASA's (2 in each datacenter, 1 dedicated for management traffic and 1 for production traffic)
- Both Datacenters are interconnected with Layer 3 switches (dedicated interconnectivity VLAN between the DC's)

The problem so far it seems is that we have 1 "management-entry" (AnyConnect VPN, or "PC1" in this topology) and we would also like to manage the other datacenter.

But from what i have learned is that if you want to manage a ASA, you can't enter that ASA on 1 (sub)interface and request another (sub)interface on that same ASA. So what would be the best approach to create 1 "management-network" from which we can manage all devices in both DC's from the AnyConnect network (PC1)?

Re: ASA - Management Network and Asymmetric Routing?

Bogdan Nita — Mon, 13 Nov 2017 15:18:15 GMT

Sorry I think I misunderstood a little bit your question.

In the topology you posted the only interface on ASA1 that PC1 can use to connect is the on that has the correct route back to ASA2.

You could try TCP State Bypass, never configured it for traffic directed to the ASA, but it could work.

Re: ASA - Management Network and Asymmetric Routing?

Eric Snijders — Tue, 14 Nov 2017 10:55:34 GMT

Hi Bogdan,

As far as i know i tried everything:

- Configured TCP Bypass

- Allowed ICMP for "any" on all the interfaces

- Configured ACL's with "permit ip any any" on all the interfaces

- Configured same-security-level traffic for inter and intra

- I tried playing with the "management-only" and "management-access" commands

The approach is pretty simple, but there is probably a design flaw or something going on. If both DC's are connected and traffic between them occurs on a dedicated VLAN, is there seriously no way i can manage the ASA in the other DC on a (sub)interface that's different than the "inter-DC-VLAN"?

Re: ASA - Management Network and Asymmetric Routing?

Bogdan Nita — Wed, 15 Nov 2017 13:39:48 GMT

Hi Eric,

In order to get to the bottom of this I think we should simplify the problem as much as we can:
Can the outside interface of the ASA be reached from a host connected on the inside interface ?
The answer is unfortunately no, and there is nothing that can be done about it.
The best answer that can be found to explain this behavior is that this is the way the ASA was designed.
Exception:
- if your VPN tunnel terminates on one interface you can access a different interface using management-access and NAT with route-lookup