topic So, disabled port on core in Network Security

Routing issues

Stacey Hummer — Tue, 12 Mar 2019 05:37:39 GMT

Good day,

I am having an issue with our new ASA. The issue has to do with routing. I had this post in the routing forum but someone said it would better suited for the firewall forum. I am going to put the link to my original question and answers to that question. Basically I need to know how to get the management interface out of my routing protocol but still be accessible by an address inside the "inside" range.

Currently I have a 3560 with 2 connection going to the ASA one is managment 10.2.0.246 and the other is Inside 10.3.0.10.

Unfortunately our IP addressing scheme on the network is of the 10.2.0.0/16 range, this includes switches and a router.

From the 3560 I am able to ping 10.3.0.10 when I do a simple ping. However when I go to another device including other switches I am not able to ping the 10.3.0.10 address. As well when I do an extended ping from the 3560 which has vlan 1 ip address of 10.2.0.2 and I use that ip for the extended ping it does not work. The port connect to the Inside port of the ASA is in no switchport and has 10.3.0.4 address attached to it.

https://supportforums.cisco.com/discussion/12449446/routing-issue-3560

Any help would be greatly appreciated.

Stacey

Hi Stacey. I posted a reply

Andre Neethling — Wed, 11 Mar 2015 21:06:32 GMT

Hi Stacey. I posted a reply to your other thread earlier. Just to clarify. Why do you need to manage the ASA from the management interface? If I can understand the requirement, then I can think about a work around for your scenario. I can see the issue. The ASA sees the 10.2.xx network as directly connected via management, so it will prefer that route to the static route with a higher metric.

Is there a specific reason why you can't manage your ASA via the inside interface?

What are the security-levels of your interfaces? Can you post your ASA config to review?

Andre,The only reason I'm

Stacey Hummer — Wed, 11 Mar 2015 21:16:20 GMT

Andre,

The only reason I'm managing the ASA from the management interface is that's what Cisco says to do. As well we have the sourcefire module with the defense center on a vm machine. I am unable to get it to setup management between the DC and the ASA. If I can use the "inside" interface for this then I will do that. Since I'm extremely new to the ASA I'm still trying to figure it all out.

Here is the config

XENA-ASA# show runn
: Saved
:
: Serial Number: FCH18507A3W
: Hardware:   ASA5525, 8192 MB RAM, CPU Lynnfield 2394 MHz, 1 CPU (4 cores)
:
ASA Version 9.2(2)4
!
hostname XENA-ASA
domain-name Name
enable password 8Ry2YjIyt7RRXU24 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
names
dns-guard
ip local pool XENAVPN 10.200.0.1-10.200.10.254 mask 255.255.0.0
!
interface GigabitEthernet0/0
nameif Outside
security-level 0
ip address x.x.x.118 255.255.255.248
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
nameif Management
security-level 90
ip address 10.2.0.246 255.255.0.0
!
interface GigabitEthernet0/7
nameif Inside
security-level 100
ip address 10.3.0.10 255.255.0.0
!
interface Management0/0
management-only
shutdown
no nameif
no security-level
no ip address
!
ftp mode passive
clock timezone MST -7
clock summer-time MDT recurring
dns domain-lookup Inside
dns server-group DefaultDNS
name-server 10.2.0.101
name-server 10.2.0.83
domain-name name.ORG
object network Admin-PC
range 10.2.30.0 10.2.30.254
object network XENA-2012-DS
host 10.2.0.101
description DS,DNS,DHCP
object network ZEUS
host 10.2.0.83
description DS,DNS
object network NTP-Server
host 10.2.0.211
description Linux NTP Server
object network Inside-Range-2
subnet 10.2.0.0 255.255.0.0
object network Inside-Range-3
subnet 10.3.0.0 255.255.0.0
object network Inside-Range-4
subnet 10.4.0.0 255.255.0.0
object network Inside-Range-5
subnet 10.5.0.0 255.255.0.0
object network Inside-Range-6
subnet 10.6.0.0 255.255.0.0
object network Inside-Range-7
subnet 10.7.0.0 255.255.0.0
object network Inside-Range-8
subnet 10.8.0.0 255.255.0.0
object network Inside-Range-9
subnet 10.9.0.0 255.255.0.0
object network Access-Outside
subnet 10.0.0.0 255.0.0.0
object network Mail
host 10.2.0.92
object service FromOutsideMail
service tcp source range 1 65535 destination eq smtp
object network InternalMail
host 10.2.0.92
description Mail Server
object network 115-Address
host x.x.x.115
description Original Outside Address
object network NETWORK_OBJ_10.200.0.0_20
subnet 10.200.0.0 255.255.240.0
object network Xena-Mail
host 10.2.0.92
object-group service Admin-Services
service-object tcp destination eq ssh
service-object tcp destination eq telnet
object-group service Inside-Services
service-object tcp destination eq ftp
service-object tcp destination eq www
service-object tcp destination eq https
service-object icmp
service-object tcp-udp destination eq www
object-group service Outside-Services
service-object icmp echo
service-object tcp destination eq ftp
service-object tcp destination eq www
service-object tcp destination eq https
object-group network Admin-Hosts
network-object object Admin-PC
object-group service Mail-Services
service-object tcp destination eq smtp
object-group service NTP-Services
service-object udp destination eq ntp
object-group network DNS-Servers
network-object object XENA-2012-DS
network-object object ZEUS
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group service DM_INLINE_SERVICE_1
service-object icmp
service-object tcp-udp destination eq domain
object-group network All-Inside-networks
network-object object Inside-Range-2
network-object object Inside-Range-3
network-object object Inside-Range-4
network-object object Inside-Range-5
network-object object Inside-Range-6
network-object object Inside-Range-7
network-object object Inside-Range-8
network-object object Inside-Range-9
access-list Inside_access_in extended permit object-group DM_INLINE_SERVICE_1 object-group DNS-Servers any
access-list Inside_access_in extended permit object-group Inside-Services object-group All-Inside-networks any
access-list Inside_access_in extended permit object-group Mail-Services object Mail any
access-list global_access extended permit object-group NTP-Services object NTP-Server any
access-list global_access extended permit icmp 10.2.0.0 255.255.0.0 10.3.0.0 255.255.0.0
access-list global_access extended permit object-group TCPUDP object-group DNS-Servers any eq domain
access-list global_access extended deny ip any any
access-list Outside_access_in extended permit object-group Mail-Services any object 115-Address
access-list Outside_access_in extended permit tcp any object InternalMail eq smtp
access-list OutsideToInside extended permit tcp any host 10.2.0.92 eq smtp
pager lines 24
logging enable
logging trap informational
logging asdm warnings
mtu Outside 1500
mtu Management 1500
mtu Inside 1500
ip verify reverse-path interface Outside
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
arp permit-nonconnected
nat (Inside,Outside) source static any any destination static NETWORK_OBJ_10.200.0.0_20 NETWORK_OBJ_10.200.0.0_20 no-proxy-arp route-lookup
!
object network Access-Outside
nat (Inside,Outside) dynamic interface
object network Xena-Mail
nat (Inside,Outside) static x.x.x.115 service tcp smtp smtp
access-group OutsideToInside in interface Outside
access-group Inside_access_in in interface Inside
access-group global_access global
route Outside 0.0.0.0 0.0.0.0 x.x.x.113 1
route Inside 10.0.0.0 255.0.0.0 10.3.0.4 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
ldap attribute-map LDAP-Map
map-name memberOf IETF-Radius-Class
map-value memberOf "CN=Admin Users,DomainGroups,DC=xena,DC=org" DomainAdmin-Policy
dynamic-access-policy-record DfltAccessPolicy
aaa-server LDAP protocol ldap
aaa-server LDAP (Management) host 10.2.0.101
ldap-base-dn DC=DOMAIN,DC=ORG
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn adminanmee@xena.org
server-type microsoft
ldap-attribute-map LDAP-Map
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.0.0.0 255.0.0.0 Management
http 0.0.0.0 0.0.0.0 Outside
http redirect Outside 80
no snmp-server location
no snmp-server contact
crypto ipsec ikev1 transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-MD5 esp-des esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
crypto ipsec ikev1 transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
crypto ipsec ikev1 transform-set ESP-DES-SHA esp-des esp-sha-hmac
crypto ipsec ikev2 ipsec-proposal DES
protocol esp encryption des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal 3DES
protocol esp encryption 3des
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES
protocol esp encryption aes
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES192
protocol esp encryption aes-192
protocol esp integrity sha-1 md5
crypto ipsec ikev2 ipsec-proposal AES256
protocol esp encryption aes-256
protocol esp integrity sha-1 md5
crypto ipsec security-association pmtu-aging infinite
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
crypto dynamic-map SYSTEM_DEFAULT_CRYPTO_MAP 65535 set ikev2 ipsec-proposal AES256 AES192 AES 3DES DES
crypto map Outside_map 65535 ipsec-isakmp dynamic SYSTEM_DEFAULT_CRYPTO_MAP
crypto map Outside_map interface Outside
crypto ca trustpoint XENA-ASA
enrollment self
subject-name CN=XENA-ASA
proxy-ldc-issuer
crl configure
crypto ca trustpool policy
crypto ca certificate chain XENA-ASA
certificate 8882f754
    30820539 30820321 a0030201 02020488 82f75430 0d06092a 864886f7 0d010105
    0500302c 3111300f 06035504 03130858 454e412d 41534131 17301506 092a8648
    86f70d01 09021608 58454e41 2d415341 301e170d 31353033 30343232 31363434
    5a170d32 35303330 31323231 3634345a 302c3111 300f0603 55040313 0858454e
    412d4153 41311730 1506092a 864886f7 0d010902 16085845 4e412d41 53413082
    0222300d 06092a86 4886f70d 01010105 00038202 0f003082 020a0282 020100c0
    25671dbb a64e8a9b 4f1807ed 190b8aab 455714c1 4758d581 051d6762 2f75c547
    bdf202b0 d9d72199 db425da0 1f035cd3 a99f4457 120db43b cb050705 03bfb1ef
    5eee6ace d00d547c 59b5ce9a 1d3a0f2e cdc67230 2dcffb02 fa948550 b82a9c83
    25264a63 c1a27244 28884f96 184f5db4 f33f25d2 84f54230 9f3f0286 11fae916
    c925b084 7ea44fb8 bede54bb 67bfd38e 20899825 8e7be83c 87b750a5 c4a2d5cd
    1cccc818 a852f2cb 932395d8 5cada870 fc3fe7de 4cc2c704 3225e7b1 4d251c5a
    c520ad26 610ff273 790748f5 0bb37823 bbf9f601 e84aff4d 6180c23d 045f9202
    3b18ed4a a76c6307 0e83a003 f9aa4124 742a3dff 65a80cd6 be972d6a 47f21ca3
    42cb8a78 8ce2fca7 e1ab5bac 019d516d dd09933f f9b9c211 b2bf2f95 1dd60be6
    d4ef5763 5efd0ad4 dfb31c57 0a4cbad4 da9b6205 442abe16 8d3361ef bbdd60f1
    dbe95163 a8f3ff41 e2ed0595 0a0f5ab4 6f03d9ed 1c5734da f33ef697 b1668340
    597c6b78 d51ee90e eed80b71 70fb4960 2e2c95aa 683a983c ff7765c7 64153e32
    b6b9ea33 d7833c66 222252b8 b66924c9 db040783 dde023a5 ac55d923 3c0982d9
    edb8b01b 2cf1c14e 35248bc0 e0545da4 fb5c53f5 394c5d3a 1a3d7347 22417874
    30eb6306 072f961f 79a84db1 4b1f436d 914966ef 32dc5c08 df1d7912 1d0535de
    cbb8c496 387b5552 2cb2d630 d11446e1 20669f1f 21d13179 d5f14782 23360d02
    03010001 a3633061 300f0603 551d1301 01ff0405 30030101 ff300e06 03551d0f
    0101ff04 04030201 86301f06 03551d23 04183016 8014f353 f7d1a0af 592858aa
    55d0867b 7aa19e1b 7a9c301d 0603551d 0e041604 14f353f7 d1a0af59 2858aa55
    d0867b7a a19e1b7a 9c300d06 092a8648 86f70d01 01050500 03820201 008cc869
    06aca621 beafa23d d902f7d9 0f1ce6a2 349c836b 89449c38 d4bc7ccc 8085145d
    5c0466e4 f8561522 dbee5cd5 e9e0f364 c262ddf8 cacae3c0 3aa64d90 a595ea88
    81827e98 2bade67f ba9654f9 d987ef5e 9239decf e97165f7 3f27431b 930b5dae
    7717177e af0b9a0c 44c5bc8a f479cd2a 1c838034 c156f568 eb8bfafa 1e3f2de0
    ab57bc7d adb31bd1 4dafcc4a 20dd57ee eb001816 cedb07e8 3ae664f6 96b8b353
    311a28d0 ae8024a1 5306ff39 d5bf1cea a55ecad0 4f0670f1 57b48614 4cea902f
    78cf314f d6a26dec f2b53b7d 75c8735e f7127010 3039e288 8c925622 d45232db
    679d023c 8507c0be bf9116bc 44191f3e eebea228 bbd28f18 005bc4ee 5070be13
    ef75df16 98ed0064 61f7ffca beb39a56 358c8658 33f6a6e1 0b51370c 70831b09
    6534d635 92f27b75 0cc95ef3 3164e4fe a1ede657 28dd05d1 ba5cf9a9 1b352178
    0b95469d ef20e6ce 367ff30a 09317516 a76a337d 2d8dade8 486bdb13 03d2bdaf
    6e57b830 41702ab8 37a37fbb 23bb5df9 6f32c6ca 9b66340b 8af4a491 f3ec7af3
    363c936a 031e447e e35af21a ca090f08 f2a21026 e1d81e7c ead49ab6 f4bca486
    6bd9e125 79e9f231 fef76dab 801863a4 91012595 b1a0e9fe 453619c4 9d217c34
    83b4c749 d716a621 b31fff16 63df255c da61ba22 88ebe19c 7cf4a2ab def107ab
    8b04ef0e 8c9e14c1 561638fc 750b2e7a 047cd801 59a49299 e0a7af39 82
quit
crypto ikev2 policy 1
encryption aes-256
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 10
encryption aes-192
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 20
encryption aes
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 30
encryption 3des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 policy 40
encryption des
integrity sha
group 5 2
prf sha
lifetime seconds 86400
crypto ikev2 remote-access trustpoint XENA-ASA
crypto ikev1 policy 10
authentication crack
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 20
authentication rsa-sig
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 30
authentication pre-share
encryption aes-256
hash sha
group 2
lifetime 86400
crypto ikev1 policy 40
authentication crack
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 50
authentication rsa-sig
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 60
authentication pre-share
encryption aes-192
hash sha
group 2
lifetime 86400
crypto ikev1 policy 70
authentication crack
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 80
authentication rsa-sig
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 90
authentication pre-share
encryption aes
hash sha
group 2
lifetime 86400
crypto ikev1 policy 100
authentication crack
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 110
authentication rsa-sig
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 120
authentication pre-share
encryption 3des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 130
authentication crack
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 140
authentication rsa-sig
encryption des
hash sha
group 2
lifetime 86400
crypto ikev1 policy 150
authentication pre-share
encryption des
hash sha
group 2
lifetime 86400
telnet timeout 5
ssh stricthostkeycheck
ssh 10.0.0.0 255.0.0.0 Management
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 10.2.0.211 source Inside prefer
ssl encryption aes128-sha1 aes256-sha1 3des-sha1 dhe-aes128-sha1 dhe-aes256-sha1
ssl trust-point XENA-ASA Outside
webvpn
enable Outside
anyconnect-essentials
anyconnect image disk0:/anyconnect-win-3.1.07021-k9.pkg 1
anyconnect profiles Xena disk0:/xena.xml
anyconnect enable
tunnel-group-list enable
group-policy DfltGrpPolicy attributes
dns-server value 10.2.0.101 10.2.0.83
vpn-tunnel-protocol ikev1 ikev2 l2tp-ipsec ssl-client ssl-clientless
default-domain value NAME.ORG
address-pools value XENAVPN
webvpn
anyconnect ask none default anyconnect
group-policy GroupPolicy_XENA-VPN-Anyconnect internal
group-policy GroupPolicy_XENA-VPN-Anyconnect attributes
wins-server none
dns-server value 10.2.0.101 10.2.0.83
vpn-tunnel-protocol ikev2 ssl-client
address-pools value XENAVPN
webvpn
anyconnect ask none default anyconnect
group-policy XENA-VPN internal
group-policy XENA-VPN attributes
wins-server none
dns-server value 10.2.0.101 10.2.0.83
vpn-tunnel-protocol ssl-client
default-domain none
webvpn
anyconnect profiles value Xena type user
anyconnect ask none default anyconnect
username stacey password 5jbdwdD9YC.EMGvn encrypted privilege 15
tunnel-group DefaultWEBVPNGroup general-attributes
authentication-server-group LDAP
tunnel-group XENA-VPN-Anyconnect type remote-access
tunnel-group XENA-VPN-Anyconnect general-attributes
address-pool XENAVPN
default-group-policy XENA-VPN
tunnel-group XENA-VPN-Anyconnect webvpn-attributes
group-alias XENA-VPN-Anyconnect enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect ip-options
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect http
inspect icmp
class class-default
user-statistics accounting
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly 2
subscribe-to-alert-group configuration periodic monthly 2
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:8fc09599beb71fb9bfacadb706a82d2a
: end

Ok. So what you have

Andre Neethling — Wed, 11 Mar 2015 21:39:39 GMT

Ok. So what you have inadvertently created is an asymmetric routing scenario. Try this............ make the security level of the management interface 100. Then permit same-security traffic between interfaces in the global config. I don't know if the State Table will be happy with that.........

You can try to send the management traffic via the inside interface. That's always an option.

Just to test........ Try to unplug the cable between the management interface and see what happens 🙂

So, disabled port on core

Stacey Hummer — Wed, 11 Mar 2015 21:59:19 GMT

So, disabled port on core that connects to Management port, image that I can now ping the 10.3.0.10 address. However I cannot manage the ASA. I enable both at 100 and check off that same level security can talk to each other.... But unless I make the port management only I am not sure how to allow management traffic on it?

To manage the ASA from the

Andre Neethling — Wed, 11 Mar 2015 22:49:52 GMT

To manage the ASA from the inside interface enter the below commands

ssh 10.0.0.0 255.0.0.0 inside

http 10.0.0.0 255.0.0.0 inside

So, I've shutdown the

Stacey Hummer — Thu, 12 Mar 2015 01:30:57 GMT

So, I've shutdown the management interface (shutdown port on core). It now lets me connect briefly to both SSH and ASDM then resets the connection. It does after a brief 5-10 seconds connects back up again but then does about the same amount of time being connected.... Got any idea what I should be looking for?

Once again you guys have been great.

Thanks

Stacey

HI Stacey. Can you post the

Andre Neethling — Thu, 12 Mar 2015 06:53:37 GMT

HI Stacey. Can you post the results of "show log" from both the ASA and switch?

As noted before, in this thread and the other one. I think you have a subnet mask mismatch on your ASA inside interface. The ASA thinks (due to the interface config) that 10.3.0.0/16 is directly connected to the inside interface. But it is not. Some of those networks are behind your core switch. Try to change your ip address on your inside interface on the ASA to "ip address 10.3.0.0 255.255.255.0"

Hi StaceyDid a bit more

Jon Marshall — Thu, 12 Mar 2015 11:31:31 GMT

Hi Stacey

Did a bit more reading on this and basically it still appears to be the same.

As Andre has suggested it would be better to use the inside interface for managing the ASA if you want to be able to access the ASA from any internal subnet.

Where the management interface would be useful is if you have a truly separate network for managing your devices ie. separate switches etc.

I checked the 9.1 configuration guide and it still says you cannot access the management interface via another interface unless you use a VPN which I don't think is what you want to do.

The main issue is the management interface doesn't support through traffic.

So when you tried to ping originally in your other post the ping arrived on the inside interface but then the ASA tried to send it back via the management interface which it couldn't do. And if you try to connect to the management port the ASA tries to route it back via the inside interface which again doesn't work.

The only way you could use the management interface was as I said either connect from an IP in the management subnet or a subnet that you can add a route to the ASA pointing back out of the management interface.

But obviously this couldn't be any of your user vlans because you need those routed via the inside.

I wouldn't worry about it too much, I have always managed the firewalls using the inside interface because of this very routing issue.

Jon

I did change that yesterday

Stacey Hummer — Thu, 12 Mar 2015 13:51:36 GMT

I did change that yesterday before shutting down the management interface. However that didn't fix the issue. I did a ping for 1000 times this morning from the ASA to the 10.2.0.2 ip address min/avg/max = 1/94/860 ms. considering they are directly connected I would think this is an issue. There is nothing in the ASA log, but here is the core log.

nt, src 10.2.0.2, dst 10.3.0.10, topology BASE, dscp 0 topoid 0
Mar 12 06:33:45.185 MNT: ICMP: echo reply sent, src 10.2.0.2, dst 10.3.0.10, topology BASE, dscp 0 topoid 0
Mar 12 06:33:45.185 MNT: ICMP: echo reply sent, src 10.2.0.2, dst 10.3.0.10, topology BASE, dscp 0 topoid 0
Mar 12 06:33:45.764 MNT: ICMP: echo reply sent, src 10.2.0.2, dst 10.3.0.10, topology BASE, dscp 0 topoid 0
Mar 12 06:33:45.806 MNT: ICMP: echo reply sent, src 10.2.0.2, dst 10.3.0.10, topology BASE, dscp 0 topoid 0
Mar 12 06:33:45.814 MNT: ICMP: echo reply sent, src 10.2.0.2, dst 10.3.0.10, topology BASE, dscp 0 topoid 0
Mar 12 06:33:45.823 MNT: ICMP: echo reply sent, src 10.2.0.2, dst 10.3.0.10, topology BASE, dscp 0 topoid 0
Mar 12 06:33:45.823 MNT: ICMP: echo reply sent, src 10.2.0.2, dst 10.3.0.10, topology BASE, dscp 0 topoid 0
Mar 12 06:33:45.831 MNT: ICMP: echo reply sent, src 10.2.0.2, dst 10.3.0.10, topology BASE, dscp 0 topoid 0
Mar 12 06:33:46.662 MNT: ICMP: echo reply sent, src 10.2.0.2, dst 10.3.0.10, topology BASE, dscp 0 topoid 0
Mar 12 06:33:46.704 MNT: ICMP: echo reply sent, src 10.2.0.2, dst 10.3.0.10, topology BASE, dscp 0 topoid 0
Mar 12 06:33:46.712 MNT: ICMP: echo reply sent, src 10.2.0.2, dst 10.3.0.10, topology BASE, dscp 0 topoid 0
Mar 12 06:33:46.721 MNT: ICMP: echo reply sent, src 10.2.0.2, dst 10.3.0.10, topology BASE, dscp 0 topoid 0
Mar 12 06:33:46.729 MNT: ICMP: echo reply sent, src 10.2.0.2, dst 10.3.0.10, topology BASE, dscp 0 topoid 0
Mar 12 06:33:46.729 MNT: ICMP: echo reply sent, src 10.2.0.2, dst 10.3.0.10, topology BASE, dscp 0 topoid 0
Mar 12 06:33:46.737 MNT: ICMP: echo reply sent, src 10.2.0.2, dst 10.3.0.10, topology BASE, dscp 0 topoid 0
Mar 12 06:33:47.367 MNT: ICMP: echo reply sent, src 10.2.0.2, dst 10.3.0.10, topology BASE, dscp 0 topoid 0
Mar 12 06:33:47.409 MNT: ICMP: echo reply sent, src 10.2.0.2, dst 10.3.0.10, topology BASE, dscp 0 topoid 0
Mar 12 06:33:47.417 MNT: ICMP: echo reply sent, src 10.2.0.2, dst 10.3.0.10, topology BASE, dscp 0 topoid 0
Mar 12 06:33:52.470 MNT: ICMP: redirect sent to 10.2.0.101 for dest 10.8.2.11, use gw 10.2.0.3
Mar 12 06:33:54.156 MNT: ICMP: redirect sent to 10.2.0.83 for dest 10.8.2.11, use gw 10.2.0.3
Mar 12 06:33:56.674 MNT: ICMP: redirect sent to 10.2.0.162 for dest 10.3.2.2, use gw 10.2.0.3
Mar 12 06:34:04.035 MNT: ICMP: redirect sent to 10.2.0.162 for dest 10.8.0.13, use gw 10.2.0.27
Mar 12 06:34:06.687 MNT: ICMP: redirect sent to 10.2.0.162 for dest 10.3.2.2, use gw 10.2.0.3
Mar 12 06:34:21.702 MNT: ICMP: redirect sent to 10.2.0.162 for dest 10.3.2.2, use gw 10.2.0.3
Mar 12 06:34:37.790 MNT: ICMP: redirect sent to 10.2.0.101 for dest 10.8.0.12, use gw 10.2.0.27
Mar 12 06:34:41.978 MNT: ICMP: redirect sent to 10.2.0.96 for dest 10.8.5.14, use gw 10.2.0.26
Mar 12 06:34:42.708 MNT: ICMP: redirect sent to 10.2.0.162 for dest 10.8.5.14, use gw 10.2.0.26
Mar 12 06:34:44.236 MNT: ICMP: redirect sent to 10.2.0.162 for dest 10.3.2.2, use gw 10.2.0.3
Mar 12 06:34:54.248 MNT: ICMP: redirect sent to 10.2.0.162 for dest 10.3.2.2, use gw 10.2.0.3
Mar 12 06:35:09.263 MNT: ICMP: redirect sent to 10.2.0.162 for dest 10.3.2.2, use gw 10.2.0.3
Mar 12 06:35:14.894 MNT: ICMP: redirect sent to 10.2.0.101 for dest 10.3.6.22, use gw 10.2.0.3
Mar 12 06:35:16.136 MNT: ICMP: redirect sent to 10.2.0.101 for dest 10.8.0.14, use gw 10.2.0.27
Mar 12 06:35:31.906 MNT: ICMP: redirect sent to 10.2.0.101 for dest 10.8.0.11, use gw 10.2.0.27
Mar 12 06:35:44.160 MNT: ICMP: redirect sent to 10.2.0.101 for dest 10.8.0.15, use gw 10.2.0.27
Mar 12 06:35:46.787 MNT: ICMP: redirect sent to 10.2.0.101 for dest 10.3.4.11, use gw 10.2.0.3
Mar 12 06:35:54.063 MNT: ICMP: redirect sent to 10.2.0.101 for dest 10.8.2.11, use gw 10.2.0.3
Mar 12 06:36:04.126 MNT: ICMP: redirect sent to 10.2.0.162 for dest 10.8.0.13, use gw 10.2.0.27
Mar 12 06:36:05.964 MNT: ICMP: redirect sent to 10.2.0.83 for dest 10.8.0.12, use gw 10.2.0.27
Mar 12 06:36:06.468 MNT: ICMP: redirect sent to 10.2.0.83 for dest 10.8.0.12, use gw 10.2.0.27
Mar 12 06:36:17.974 MNT: ICMP: redirect sent to 10.2.0.83 for dest 10.8.2.11, use gw 10.2.0.3

I obviously have debug on for icmp.

*** Update, I've been logged into the ASDM for 20 minutes without and reset connections. It seems it needed a little time to settle down. Hopefully the problem is solved. Now I have to connect the SFR defense center to the ASA which isn't work as well. It's a good thing I really like the ASA or I would just stick with the Juniper we have now 😉 . Just kidding...

Stacey