topic Hi Risseth, It doesnt allow in Network Security

Help! Transparent Firewalls Management in Multi Mode

atulp_31dacre — Tue, 12 Mar 2019 06:19:14 GMT

Hi ,

I have a cisco 5585 in multi mode and have 38 Transparent contexts configured and 2 routed contexts configured. I want to use a /24 subnet as a management subnet all the transparent firewalls and a separate /24 subnet for all Routed firewalls,I cannot find a example of how I can do this.. Lookingat Cisco docs it says Ihave to subinterface the Management Interface and provide a separate vlan under that subinterface. Does that mean I have to create 38 subinterface and 38 vlans on the ASA ? and also I have one vlan each created on the connecting switch one for Transparent and one for Routed firewalls. Will this be possible?. I am running OS 9.1(4) on the ASA. ie

Transparent fw1= 10.1.1.1/24

fw2= 10.1.1.2/24 etc etc

Same for routed

Hi, You can share the

Rishabh Seth — Thu, 23 Jul 2015 09:07:30 GMT

Hi,

You can share the management interface across all the contexts and then assign different IP addresses to the interface in each context.

Thanks,

R.Seth

Hi Risseth, It doesnt allow

atulp_31dacre — Thu, 23 Jul 2015 09:52:14 GMT

Hi Risseth,

It doesnt allow me to use management0/1 to be used in any other context after I have used it in contextA . In ASDm it doesnt show up as an interface I can assign once i've used it . Cisco's recommedation from looking at docs says I have to subinterface management0/1 to management0/1x etc etc and use that but when i do that it asks me for a vlan id to be configured under the new subinterfaces. I have a Vlanxxx for Transaparent management and a vlanyyy for Routed firewalls configured on the switch with Management 0/0 access port of vlan xxx and management 0/1 access port as vlan yyy. I tried this yesterday and it caused the ASA to reboot so was wondering if there is anyone out there who has managed to configure this.

I forgot to mention.. I have done this on a FWSM with no issues. - I guess because the vlans are already seen on the fwsm via the backplane 5gb connection whilst on the ASA they are physical interface that cannot be shared unless you subinterface them and apply a vlan to that subinterface but I want connecticvity to each firewall on the ASA using a /24 subnet which is what has been configured on the swith.

Hi,You can allocate same

Rishabh Seth — Thu, 23 Jul 2015 12:10:39 GMT

Hi,

You can allocate same interface to different contexts:

eg output:

ciscoasa(config)# sh run context

admin-context admin
context admin
config-url disk0:/tadmin.cfg
!

context a
allocate-interface Management0/1
config-url disk0:/ta.cfg
!

context b
allocate-interface Management0/1
config-url disk0:/tb.cfg
!

Then you can assign different IP addresses on the interface in each context:

Output from context A:

ciscoasa/a(config-if)# sh run interface
!
interface Management0/1
management-only
nameif mgmt
security-level 0
ip address 10.1.1.1 255.255.255.0

Output from context B:

ciscoasa/b(config-if)# sh run interface
!
interface Management0/1
management-only
nameif mgmt
security-level 0
ip address 10.1.1.2 255.255.255.0

Hope the above mentioned information will help you in setting up your network requirement.

Thanks,

R.Seth

Hi , Thanks for reply but

atulp_31dacre — Thu, 23 Jul 2015 13:16:13 GMT

Hi , Thanks for reply but that doesnt work in Transparent Firewalls see below

DC3-ASA-SDS(config)# context dc3-adreports<---transparent context1

allocate-interface management0/1

DC3-ASA-SDS(config-ctx)# context dc3-circulate<---transparent context2
DC3-ASA-SDS(config-ctx)# allocate-interface management0/1
ERROR: Interface management0/1 cannot be allocated to context. Interfaces cannot be shared in transparent mode.
DC3-ASA-SDS(config-ctx)#