topic Just checking to see if you in Network Security

Enable management port ASA 5525?

alter-sol — Tue, 12 Mar 2019 09:22:33 GMT

Sorry for such a rookie question. Kinda new at ASA's. I'm doing some basic configurations on an ASA that I'm getting remote access to. The ASA's management interface is connected to a 10.10.10.0/24 network and I'm coming in on a VPN connection with 10.10.20.0/24 address.

I've configured the interface.

interface Management0/0
management-only
nameif management
security-level 100
ip address 10.10.10.10 255.255.255.0

I'm confused on the routing piece to allow traffic from vpn subnet to the management interface. I'm sure it's something really simple.

http 10.10.20.0 255.255.255.0

Spooster IT Services — Tue, 16 May 2017 14:22:16 GMT

http 10.10.20.0 255.255.255.0 management

ssh 10.10.20.0 255.255.255.0 management

telnet 10.10.20.0 255.255.255.0 management

management-access management

You also need to allow traffic in ACL that is used for VPN to define interested traffic on both end.

Can you post the VPN config so that I can assist you to do changes in ACL.

Thanks for the assistance!

alter-sol — Tue, 16 May 2017 17:20:39 GMT

Thanks for the assistance!

The vpn configuration is on another firewall giving me access to the 10.10.10.0 network. When I do an ipconfig/all from laptop with the vpn running my vpn virtual adaptor gives me an address on the 10.10.20.0 network I'm assuming a route needs to be created for this to work.

Just checking to see if you

alter-sol — Wed, 17 May 2017 15:38:45 GMT

Just checking to see if you have any further suggestions on this. Still can't quite figure out how to get access to that management interface. Thanks again for your suggestions.

It is most likely lack of a

Marvin Rhoads — Thu, 18 May 2017 02:30:34 GMT

It is most likely lack of a route on the ASA whose management interface you are trying to access. In most versions of ASA software (anything prior to 9.6) there is only a single routing table. If you have devices trying to access the management interface from anywhere not directly connected, the ASA will use that global routing table to determine the correct egress interface. It does not allow traffic to ingress on management and egress via a different interface.

Can you share the "show route" output from your ASA whose management interface you are trying to access?

Gateway of last resort is not

alter-sol — Thu, 18 May 2017 12:21:22 GMT

Gateway of last resort is not set

C 10.10.10.0 255.255.255.0 is directly connected, management
L 10.10.10.10 255.255.255.255 is directly connected, management

The ASA would need a route to

Marvin Rhoads — Thu, 18 May 2017 15:26:03 GMT

The ASA would need a route to the 10.10.20.0 subnet where your VPN client's traffic originates from. If there's no other reason that ASA needs to reach that subnet it is fine to just add one thus:

route management 10.10.20.0 255.255.255.0 <gateway address>

If there are other reasons (besides management) why traffic through that ASA may need to reach that subnet then you need a more advanced solution that we can discuss if that is the case.

I actually tried this already

alter-sol — Thu, 18 May 2017 17:26:02 GMT

I actually tried this already and it didn't work. I'm assuming what they are telling is the gateway of the non-production environment is incorrect because I never been able to web to the interface with that route in place.

If you cannot get the routing

Marvin Rhoads — Fri, 19 May 2017 04:04:56 GMT

If you cannot get the routing for the managemnt interface fixed, you will either have to

1. use another interface for management or

2. run ASA 9.5(1) or later with the ability to use a separate management routing table. Reference:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/general/asa-95-general-config/route-overview.html#reference_F02E984EE51F49F5B979DE3ED9239EEE