topic Re: Can't access management IP on Cisco ASA in Network Security

Can't access management IP on Cisco ASA

Mikee Hendricks — Sun, 25 Jun 2023 22:30:00 GMT

Hi,

I can't ping my ASA's management ip 10.1.50.5 from inside network, only 10.0.28.1. I already added the management ip on the route. Please take a look at this topology and config to see where iam lacking. Thanks.

ASA Version 9.12(2)
!
hostname ciscoasa
enable password ***** pbkdf2
!
license smart
feature tier standard
throughput level 1G
names
no mac-address auto

!
interface GigabitEthernet0/0
nameif OUTSIDE
security-level 0
ip address 172.18.200.167 255.255.255.0
!
interface GigabitEthernet0/1
nameif INSIDE
security-level 100
ip address 10.0.28.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif MGMT
security-level 100
ip address 10.1.50.5 255.255.255.128
!
ftp mode passive
dns domain-lookup OUTSIDE
dns server-group DNS
name-server 1.1.1.1
name-server 1.0.0.1
dns server-group DefaultDNS
name-server 1.1.1.1
name-server 1.0.0.1
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network outside
subnet 172.18.200.0 255.255.255.0
object network inside
subnet 10.0.28.0 255.255.255.0
object network LAN
subnet 192.168.0.0 255.255.0.0
object-group network OUTSIDE
network-object host 192.168.11.22
access-list OUT-TO-IN extended permit icmp any any
access-list OUT-TO-IN extended permit tcp any any
access-list OUT-TO-IN extended permit udp any any
pager lines 23
logging enable
logging asdm informational
mtu OUTSIDE 1500
mtu INSIDE 1500
mtu MGMT 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 8192
!
nat (INSIDE,OUTSIDE) after-auto source dynamic any interface
access-group OUT-TO-IN in interface OUTSIDE
!
route-map PBR permit 5
set ip next-hop verify-availability 172.18.200.1 1 track 1

!
route-map PBR permit 50

!
route OUTSIDE 0.0.0.0 0.0.0.0 172.18.200.1 1
route INSIDE 192.168.10.0 255.255.255.0 10.0.28.2 1
route MGMT 192.168.10.0 255.255.255.0 10.1.50.6 1
route INSIDE 192.168.11.0 255.255.255.0 10.0.28.2 1
route INSIDE 192.168.50.0 255.255.255.0 10.0.28.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 0.0.0.0 0.0.0.0 OUTSIDE
snmp-server host INSIDE 192.168.50.21 community ***** version 2c
no snmp-server location
no snmp-server contact
snmp-server enable traps syslog
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpool policy
auto-import
quit
!
track 1 rtr 1 reachability
telnet timeout 2
ssh stricthostkeycheck
ssh 192.168.10.0 255.255.255.0 INSIDE
ssh 192.168.11.0 255.255.255.0 INSIDE
ssh 192.168.10.0 255.255.255.0 MGMT
ssh 192.168.11.0 255.255.255.0 MGMT
ssh timeout 2
ssh version 1 2
console timeout 2
console serial
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
dynamic-access-policy-record DfltAccessPolicy
username admin password ***** pbkdf2 privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
privilege show level 5 mode configure command filter
prompt hostname context
no call-home reporting anonymous
: end

Re: Can't access management IP on Cisco ASA

MHM Cisco World — Sun, 25 Jun 2023 22:39:30 GMT

If you try ping mgmt from host connect to inside' then by default asa will drop packet'

The asa not allow ping from interface to other interface.

You can ping only to INside interface if host connect to INside

And for management you can add

Telnet 0.0.0.0 0.0.0.0 INSIDE

Re: Can't access management IP on Cisco ASA

Flavio Miranda — Sun, 25 Jun 2023 22:37:03 GMT

Use the commamd

same-security-traffic permit inter-interface

Re: Can't access management IP on Cisco ASA

Aref Alsouqi — Sun, 25 Jun 2023 23:06:40 GMT

From the diagram I can't see how the management interface is connected. When you configure a management interface on the ASA, that interface will not be passing traffic with the other interfaces, it will have its own routing table and you have to connect to it directly, not passing through other interfaces of the firewall. Try to connect that interface to the core switch and place it in the MGMT VLAN, that should work.

Re: Can't access management IP on Cisco ASA

Mikee Hendricks — Sun, 25 Jun 2023 23:09:09 GMT

I already tried the command but unfortunately it still won't work.

Re: Can't access management IP on Cisco ASA

Mikee Hendricks — Mon, 26 Jun 2023 00:17:15 GMT

I already connect the mgmt on the core switch and it works! Thank you.

Re: Can't access management IP on Cisco ASA

MHM Cisco World — Mon, 26 Jun 2023 00:53:38 GMT

even if you ping OUTside from host connect to INside, the ping will failed (bot INside and OUTside in same routing table), this not relate to mgmt routing table, this default behave of ASA.
just want to notice you

Re: Can't access management IP on Cisco ASA

Aref Alsouqi — Mon, 26 Jun 2023 01:27:12 GMT

Although that is true unless you configure access management over a VPN, but the scenario with the dedicated management interface is slightly different in the sense that the firewall dedicated management interface is never meant to be accessed through the firewall itself because it is actually segregated from the other interfaces hence it has its own routing table. Also if you try to connect to a host connected to the management interface through the firewall itself that wouldn't work for the same reason, the management interface traffic wouldn't be routed to the normal interfaces.

Re: Can't access management IP on Cisco ASA

MHM Cisco World — Mon, 26 Jun 2023 01:48:34 GMT

Friend
for example we have management interface and then we config one data interface with management only
here both interface will be in same routing table even so you can not connect to management interface and try ping/telent to data interface.
this default behave of ASA, it not allow traffic enter from one interface and directed to ASA other interface.
the issue is not routing the issue is ASA security behave which drop the packet.
that why I suggest to him if he connect his PC (get IP same as INside subnet) to INside then he can use INside as mgmt.

Re: Can't access management IP on Cisco ASA

Aref Alsouqi — Mon, 26 Jun 2023 08:22:49 GMT

Yes, we agree on this :). My point on the dedicated management interfaces is that usually we use them for OOB accesses, so from the design point of view we should have them connected to a switch potentially a separate switch to form OOB segment and potentially where we have yet an additional firewall to segregate the traffic to/from them. However, this won't be applicable to the normal data interfaces as you just can't terminate the traffic on them if you come from an opposite interface due to that default behaviour on the firewalls. The difference between using a data interface for management and a dedicated interface for management lies into having logically a separate routing table to segregate the traffic between the global routing table traffic and the management routing table, it is the same exact concept as when you use an SVI to manage a switch and when you use a dedicated management interface, on the switches there is more flexibility though because you can create an additional VRF and place the SVI into it and set its default gateway to a security device for the traffic segregation.