topic ASA Management Interface in Network Security

ASA Management Interface

tomyip — Tue, 12 Mar 2019 09:29:36 GMT

I have configured the management interface on an ASA 5525 as follows:

interface Management0/0
description MGMT link to GOLABC012SW - F1/0/17 - VLAN 701
management-only
nameif management
security-level 100
ip address 143.16.191.45 255.255.255.0

The ASA is directly connected to the switch with the following switchport config:

interface FastEthernet1/0/17
description ASA MGT port 00
switchport access vlan 701
switchport mode access
spanning-tree portfast

interface Vlan701
description Network lab management VLAN
ip address 143.16.191.15 255.255.255.0

The management interface on the ASA and switch is up/up. From the switch I can ping the ASA. But from the ASA I can't ping the switch and I can't even ping my own IP address at 143.16.191.45 on the ASA let alone anything on the 143.16.191.x subnet.

GOLABASA1/sec/actNoFailover# ping 143.16.191.45
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 143.16.191.45, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)

Here's my ARP table from the ASA. So I am seeing IP hosts from the 143.16.191.x in the ARP table.

GOLABASA1/sec/actNoFailover# sh arp
outside 193.17.99.65 7081.057c.9501 0
serverlan 143.16.80.53 6c20.5665.5ec0 5246
serverlan 143.16.80.49 1cdf.0f83.3240 10814
management 143.16.191.1 7c95.f35b.4ef3 10184
management 143.16.191.26 b4a4.e3ee.96c1 12505
management 143.16.191.29 8cb6.4ff4.51c1 12512

Anyway, I'm a bit of a novice on ASA firewalls. I think I may missing something very basic. Any suggestions on what else to look for would be much appreciated.

Can you try "ping management

Rahul Govindan — Mon, 12 Jun 2017 19:49:45 GMT

Can you try "ping management 143.16.191.45"? The newer ASA software versions (9.5 and above) have a separate routing table for management which may be why your ping might be failing.

That worked!

tomyip — Tue, 13 Jun 2017 15:25:29 GMT

That worked!

GOLABASA1/sec/actNoFailover# ping management 143.16.191.45
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 143.16.191.45, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
GOLABASA1/sec/actNoFailover# ping management 143.16.191.15
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 143.16.191.15, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
GOLABASA1/sec/actNoFailover# ping management 143.16.191.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 143.16.191.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/10 ms

I can see the separate routing table.

GOLABASA1/sec/actNoFailover# show route management-only

Routing Table: mgmt-only
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is not set

S 143.0.0.0 255.0.0.0 [1/0] via 143.16.191.15, management
C 143.16.191.0 255.255.255.0 is directly connected, management
L 143.16.191.45 255.255.255.255 is directly connected, management

Is there a way to integrate/combine the management routing table with the global routing table? Or at least make the two routing tables learn about each other?