topic Re: Management Port routing issue on ASA5525x in Network Security

Management Port routing issue on ASA5525x

jpeterson6 — Tue, 12 Mar 2019 00:48:54 GMT

Hi,

I've got a client with a Management Port set up for Out-of-Band management. Here's the configuration of the interface and some relevant static routes:

interface Management0/0

description MGT

speed 100

duplex full

nameif Mgt

security-level 100

ip address 10.38.100.20 255.255.255.0 standby 10.38.100.21

management-only

route inside 10.0.0.0 255.0.0.0 10.38.103.1

route Mgt 10.48.0.0 255.255.0.0 10.38.100.254

The route through Mgt interface is required as my client accesses the device from a subnet that isn't local to M0/0.

Unfortunately, now any traffic originating from outside and destined to 10.48.0.0/16 is choosing the Mgt interface. I had thought that the 'management-only' keyword prevents this from happening (traffic traversing between interfaces).

There is a broad scope of /16 addresses on the 'inside' so just swapping destinations won't work (the client wants to avoid a routing table with 50+ static entries, understandably)

My temporary solution was to do this:

route inside 10.0.0.0 255.128.0.0 10.38.103.1

route inside 10.128.0.0 255.128.0.0 10.38.103.1

route Mgt 10.0.0.0 255.0.0.0 10.38.100.254

What would be the best setup in this situation?

If 'management-only' doesn't prevent traffic from using the Mgt interface, what is the point of the command?

Re: Management Port routing issue on ASA5525x

Michal Garcarz — Sat, 19 Jan 2013 13:49:15 GMT

You are absolutely right about "managent-only" command. It does not allow for transit traffic (routing).

I have it in my lab. Tested in both directions:

1. When received traffic from any other interface and destination was thru management-only interface

%ASA-4-418001: Through-the-device packet to/from management-only network is denied: icmp src inside:2.2.2.10 dst outside:3.3.3.3 (type 8, code 0)

2. When received traffic from management-only interface and destination was thru any other interface:

%ASA-4-418001: Through-the-device packet to/from management-only network is denied: icmp src outside:1.1.1.10 dst inside:3.3.3.3 (type 8, code 0)

So - it works as expected. That interface should never route packets.

Are you sure it's working as you described ? DId you capture traffic ? Did you verify that in logs, nat and conn tables ?

If yes you might hit a bug. What version of ASA do you use ?

---

Michal

Management Port routing issue on ASA5525x

jpeterson6 — Tue, 29 Jan 2013 20:11:39 GMT

Sorry for the late response. I got tied up with some other clients and was quite busy for awhile.

I am getting the denied packets as you specified. The issue is the fact that it's even trying to use the Management Interface to begin with in its routing decisions.

I think it was probably just a misunderstanding on my part. I had thought that the keyword 'management-only' would remove the option to use it as a destination interface for routing decisions.