topic management on asa in Network Security

management on asa

suthomas1 — Tue, 12 Mar 2019 02:11:25 GMT

Hi,

the management vlan on a network needs to be created on the asa. is this feasible?

how easy would it be to do this?

the network topology is as;

WAN >> ASA >> Core Switch >> Edge Switches

DMZ

the DMZ is attached to ASA.

how should we go about creating our network management vlan on the firewall.

Appreciate all help. thanks.

management on asa

Marvin Rhoads — Fri, 12 Jul 2013 13:25:54 GMT

Just build a new zone off of its own interface. Assign it a security level and access-lists consistent with what you want it to be able to reach.

management on asa

suthomas1 — Fri, 12 Jul 2013 15:29:00 GMT

thanks.

so assume i build an interface on the asa as below;

int gig0/0

nameif MGT

security-level 50

ip address 192.168.100.1 255.255.255.0

now the edge & core switches will be assigned an ip from this range, eg, 192.168.100.5 for core switch.

the link between firewall and core switch will be a layer 3 port channel.

if i have to define the mgmt ip on the core and edge switches, what vlan should i be using for them on the switches.

can i use following configs on the core & edge switch for mgmt interface;

( using vlan 100 for mgmt interface on the switches)

int vlan 100

ip addr 192.168.100.5 255.255.255.0

is this correct. appreciate all help.

management on asa

Julio Carvajal — Fri, 12 Jul 2013 17:56:17 GMT

Hello Suthomas,

All that matters is that the Vlan you will set on this devices is a dedicated vlan for managment purposes where if a user on a different user wants to reach that vlan it must be routed through a L3 device where you can filter the traffic,etc.

You can use vlan 100 or whatever vlan you want That will not affect anything, just remember to use a dedicated vlan just for the managment traffic.

For Networking Posts check my blog at http://laguiadelnetworking.com/

Cheers,

Julio Carvajal Segura

management on asa

Marvin Rhoads — Fri, 12 Jul 2013 21:41:47 GMT

If you give the management VLAN its own physical interface, then the ASA is the gateway for that VLAN and it must have a connected Layer 2 spanning tree to all the other hosts (or SVIs) on that same VLAN. If you are using a layer 3 portchannel from your switches to the ASA, that is not a setup in which you would use a dedicated interface.

You didn't mention - is your ASA a 5505 with built-in switch or higher model without that feature?

management on asa

suthomas1 — Sat, 13 Jul 2013 10:43:23 GMT

thanks, the ASA is a 5585X with about 8 gig ports & 4 10gig ports.

So,can i please request how to actually configure this in my network with a small sample configuration for my understanding.

Thanks in advance.

Re: management on asa

Marvin Rhoads — Sat, 13 Jul 2013 13:34:26 GMT

Assuming you want your ASA to be the gateway for your management VLAN and assuming you want the same management network for your managed devices and management systems, you would most likely use a subinterface on the ASA-core switch.

Working from those assumptions, currently ASA - inside interface - core switch is a plain routed interface on the ASA. It would change to:

int gi0/0

description Trunk interface for Inside and management

no nameif

no ip address

no security-level

int gi0/0.1

nameif inside

description Inside VLAN subinterface

vlan

ip address

security level 0

no shut

int gi0/0.2

nameif management

description Management VLAN subinterface

vlan 100

ip address 192.168.100.1 255.255.255.0

security level 10

no shut

Your core switch would change it's interface facing the ASA from an access port to a trunk. You would ensure that VLANs for production (VLAN of current traffic) and management traffic (VLAN 100) were allowed on the trunk.

If you want non-management network devices and systems to talk to the management network, you'll need to add routing and potentially access-list bits to accomodate that.

management on asa

suthomas1 — Mon, 15 Jul 2013 03:10:59 GMT

Thanks Marvin.

How should i configure the core switch interface with ASA. will a Portchannel be ok between them ? i was thinking of using a Layer3 Portchannel for routing purpose.

if i use trunk , how would the configuration look like, as we intend to use two ports on either side of ASA & Core switch to interface this link.

Appreciate all help.

Re: management on asa

Marvin Rhoads — Mon, 15 Jul 2013 13:40:31 GMT

Your switch can use a simple Layer 2 trunk. If you want to add multiple links and use an Etherchannel, I'd still stick with Layer 2. If you go Etherchannel (Layer 2 or layer 3), your ASA configuration will have to take that into account.

The ASA configuration guide steps you through all of the various steps and considerations in setting up an Etherchannel here.