topic Did you set the ACL on the in Network Security

ASA - Configuring The Management Interface

petenixon — Tue, 12 Mar 2019 05:56:45 GMT

Hi all,

I'm having problems configuring the management/inside interface for management access,hoping someone can take a look and spot what it is i'm missing:

Inside & management interface connect to a layer 3 switch in vlan 31 which trunks to the core on 10.31.254.252 vlan 31.

Current config:

gi0/1.31
ip address 10.31.250.10 255.255.0.0
nameif inside-core
vlan 31
security-level 100

m0/0
management-only
no ip address
no nameif
security-level 100

ips module:
10.31.250.12 255.255.0.0 10.31.250.10

remote server:
10.30.181.1 255.255.0.0

access-lists are allowing anything, no nat.

I think the issue relates to the two switchports that the interfaces are connected to, it seems to me that when they are in the same vlan, the module ignores the default gateway and exits through the management interface, when they aren't in the same vlan it just doesn't work.

The IPS-module and the ASA

Karsten Iwen — Thu, 14 May 2015 21:23:30 GMT

The IPS-module and the ASA share a physical management-interface but have different management-settings.

If you want to have your IPS-module in the inside-network of the ASA, then the IP in your example is ok, but the default-gateway of the module has to be the IP of the L3-switch in VLAN 31 (10.31.254.252). Your ASA won't be able to route the traffic back without dirty tricks.

Thanks for the reply Karsten

petenixon — Fri, 15 May 2015 09:02:31 GMT

Thanks for the reply Karsten.

The solution I have in my mind would be to add another inside network and nat the management traffic on to that subnet, which would (i think) solve my problem...

Seems unnecessary complex to

Karsten Iwen — Fri, 15 May 2015 09:29:05 GMT

Seems unnecessary complex to use an additional interface and NAT. Why do you think that the regular way won't work?

It hasn't previously! :)I

petenixon — Fri, 15 May 2015 10:03:43 GMT

It hasn't previously! 🙂

I have previously had the default gateway set as the Layer 3 device as you suggested, but I wasn't able to connect to the ips module from the remote server.

I've convinced myself that the problem lies with the ASA config, but maybe I should spend more time looking at either the server or other areas of the network and keep the config as above (changing the default gateway of the IPS)?

Did you set the ACL on the

Karsten Iwen — Fri, 15 May 2015 11:17:39 GMT

Did you set the ACL on the IPS-module to allow the remote-server to connect?

Hi Karsten,Thanks again for

petenixon — Fri, 15 May 2015 13:10:18 GMT

Hi Karsten,

Thanks again for coming back to me, it is very much appreciated.

The IPS module is a sourcefire module and doesn't have any ACL config (as far as I can tell).

The full config I am working with at the moment is:

interface GigabitEthernet0/1.31
vlan 31
nameif inside
security-level 100
ip address 10.31.250.10 255.255.0.0
!
interface Management0/0
management-only
no nameif
no security-level
no ip address
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
!
object network SFR2
host 10.31.250.12
object network SFR-SERVER
host 10.30.181.1
object service SFR-MGMT
service tcp destination eq 8305
object service SFR-HI-PORTS
service tcp source eq 8305 destination range 1 65535
!
object-group service SFR-HIGH-PORTS
service-object object SFR-HI-PORTS
access-list global_access extended permit ip any any
access-list inside-core_access_in extended permit ip object SFR2 object SFR-SERVER
access-list inside-core_access_in extended permit ip object SFR-SERVER object SFR2
access-list inside-core_access_in extended permit udp object SFR2 any eq ntp
access-list inside-core_access_in extended permit udp any object SFR2 eq ntp
access-list inside-core_access_in extended permit object-group SFR-HIGH-PORTS object SFR2 object SFR-SERVER
access-list global_access_1 extended permit ip object SFR2 any
!
access-group inside-core_access_in in interface inside
access-group global_access_1 global
!
http server enable
http 0.0.0.0 0.0.0.0 inside
sysopt connection timewait
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map sfr-global-class
match any
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class sfr-global-class
sfr fail-open

With the config above, I can ping the gateway, the remote server and resolve the server FQDN, but can't add the module to the server.

With that in mind, and logically speaking, this must point to a problem with either the server or elsewhere in the network?

I eventually found what was

petenixon — Mon, 01 Jun 2015 15:39:10 GMT

I eventually found what was causing the problem. The sourcefire module was dropping traffic as it entered the ASA....