topic ASA 5512 Management in Network Security

ASA 5512 Management

avilt — Tue, 12 Mar 2019 02:29:52 GMT

I have got a new ASA 5512 appliance for VPN. Is the managament interface on this applaicne is out of band? Thta is: can I use this interface exclusively for administration of the appliance?

ASA 5512 Management

Marvin Rhoads — Fri, 23 Aug 2013 14:19:55 GMT

You can manage an ASA 5512 via any interface (assuming the rules are setup to allow it). It also has a serial console port for direct hardware access.

The best practice is to use the Management 0/0 Ethernet interface designed for that purpose but it's not required. By default the M0/0 port is used.

The appliance should have come with a quick start guide but here a link to it:

http://www.cisco.com/en/US/docs/security/asa/quick_start/5500X/5500x_quick_start.html

ASA 5512 Management

Marius Gunnerud — Fri, 23 Aug 2013 17:14:50 GMT

The management port on the ASAs are completely out of band. Even if you put the ASA into multiple context, where the configuration of the ASA will be removed and placed in a file config.old, the managment interface will remain and you will still have access to the ASA through this port. Just keep in mind that the managment port is not a Gig port and only supports 10/100 speed.

Re: ASA 5512 Management

avilt — Sat, 24 Aug 2013 02:31:07 GMT

So where do I define the default gateway? Do I need a separate gateway for the management alone like ILOM in Solaris?

Re: ASA 5512 Management

Marvin Rhoads — Sat, 24 Aug 2013 02:54:03 GMT

It's similar to that yes - you do it with a (static) route statement associated with the nameif (usually Management = default) you've assigned under the interface Management 0/0 sections of the configuration.

Say your inside network is all in the 10.0.0.0/8 range. In that case, you would enter:

route Management 10.0.0.0 255.0.0.0

Issues can arise if you aren't running a dynamic routing protocol on the ASA's inside interface (whcich probably more than half of the customers I've seen doing since the ASA is not nearly as capable at routing as a "real" router) and you already have a similar route statement on the Inside interface.

When that's the case, many engineers just throw up their hands and manage the ASA via the inside interface. Depending on your routing setup, there are usually work arounds that can be put in place with a bit of thought and planning.

Re: ASA 5512 Management

avilt — Sat, 24 Aug 2013 03:23:34 GMT

Please clarify. Can I add default gateway at two places, one for management side (like ILOM) and one for ASA (firewall traffic like system NIC tcp/ip default gateway)?

ASA 5512 Management

Marvin Rhoads — Sat, 24 Aug 2013 03:38:06 GMT

You don't typically put a default gateway on the management port but rather a static network route.

How you build that plus the routes out the inside vary according to your network environment and can't be answered in the specific without more detailed information about your network design.

ASA 5512 Management

Marius Gunnerud — Sat, 24 Aug 2013 06:05:06 GMT

As Marvin has mention earlier, you would configure a static route pointing out the managment interface. the default gateway would not point out the management interface as this is used to gain access to networks that are unknown...aka internet.

route managment 10.1.1.0 255.255.255.0 192.168.1.1

You would also need to define what addresses are allowed to manage the ASA device as well as what protocol they can use to manage the device. (if you haven't enabled the management protocols on the ASA, you will have to do that also)

ssh 10.1.1.0 255.255.255.0 inside

http 10.1.1.0 255.255.255.0 inside

ASA 5512 Management

avilt — Sat, 24 Aug 2013 06:37:18 GMT

Understood, in that case I can not call the management interface out of band. Am I right?

Re: ASA 5512 Management

Marius Gunnerud — Sat, 24 Aug 2013 07:09:54 GMT

The managment interface is out of band and unless you specify otherwise it can not be used for anything other than management traffic.