topic If you're diligent about in Network Security

routes on cisco asa

cstpierre4 — Tue, 12 Mar 2019 07:02:31 GMT

Hello,

I have a question on routes on a cisco asa. I setup a firewall for internet for IT users. The firewall has a management interface that we use to manage it from specific jump servers.

The issue is that the IT Users need to access the mgmt(jump) servers.. But, they need to go through the firewall to the outside interface and then access the mgmt servers. But, the routes on the cisco asa are sending the traffic for the mgmt servers out the management interface to the mgmt servers causing asymmetric routing. The routes are needed for when you are on a mgmt server for the return traffic. Any way to get around this?

Is it bad mojo to use the outside(public ip space) to manage a cisco asa?

outside
I
I
Firewall <--- mgmt servers
I
I
IT Users

If you're diligent about

Marvin Rhoads — Wed, 16 Dec 2015 03:23:36 GMT

If you're diligent about watching the Security Advisories and keeping your ASA reasonably secured, management from outside can be done safely.

As far as the asymmetric routing, this has been a challenge for many an ASA admin. Are you aware that ASA 9.5 finally introduced a separate routing table (like a VRF) for the management interface to use? That may help you.

I have also seen implementations that dual home the management servers.Put their default route on the non-restricted subnet.

Ah thank you for the response

cstpierre4 — Wed, 16 Dec 2015 15:26:43 GMT

Ah thank you for the response.

Interesting about the 9.5 update. Thanks

I think I will look into the outside interface and investigate the 9.5 code upgrade.

Im running Version 8.6(1)2 and its a ASA5525. What version is recommended for this model?

Thanks.

Are you aware that ASA 9.5

Jon Marshall — Wed, 16 Dec 2015 16:30:25 GMT

Are you aware that ASA 9.5 finally introduced a separate routing table (like a VRF) for the management interface to use?

Well it's about time 🙂

Thanks for the info.

Jon