topic ASA5520 - Management0/0 Telnet/SSH/Ping Access in Network Security

ASA5520 - Management0/0 Telnet/SSH/Ping Access

Robert Ho — Mon, 11 Mar 2019 21:42:16 GMT

hey all, hope this is an easy one.

- how can i setup the management interface so that we can ping to the mgmt interface from a subnet that is on a different subnet than the Management0/0 interface (source ip would be 192.168.100.0/24 which may conflict with the inside interface)

- i am able to telnet/ssh from the 192.168.100.0/24 subnet connected to a router behind the mgmt interface

- i am not able to ping the mgmt interface from the 192.168.100.0/24 subnet connected to a router behind the mgmt interface

- is a security level required on the mgmt interface? it does not work unless we put one. if so, what are you guys setting it to?

interface Ethernet0/0.101

description Outside

vlan 101

nameif outside

security-level 0

ip address 101.1.1.100 255.255.255.0

interface Ethernet0/1.102

description Inside Cat3750-VM G1/0/24 (PRI) G2/0/24 (STB)

vlan 102

nameif inside

security-level 100

ip address 192.168.100.100 255.255.252.0

interface Management0/0

nameif mgmt

security-level 90

ip address 192.168.253.100 255.255.255.0

management-only

ssh 192.168.100.0 255.255.255.0 mgmt

telnet 192.168.100.0 255.255.255.0 mgmt

I try to add a static route but get an error:

ASA5520(config)# route mgmt 192.168.0.0 255.255.252.0 192.168.253.1

ERROR: Cannot add route, connected route exists

ASA5520 - Management0/0 Telnet/SSH/Ping Access

Julio Carvajal — Wed, 26 Oct 2011 00:54:33 GMT

Hello Robert,

by default the Managment interface of an ASA is going to be used just for managment traffic only.

Now in order to be able to use it as any other interface you will need to use the following command:

- Interface managment 0/0

- no managment-only

And just to let you know it is imposible to ping a distant interface as an example from a inside subnet to the outside interface ip .This as security measure.

Regards,

Julio

ASA5520 - Management0/0 Telnet/SSH/Ping Access

Robert Ho — Wed, 26 Oct 2011 19:29:33 GMT

yes, our intent is to use it for mgmt only (telnet, ssh, ping, logging, snmp).

but, we are not able to reach it if the source ip is on another subnet one hop from the mgmt interface

for example

asa --> mgmt0/0 --> router --> source_ip

is this possible?

ASA5520 - Management0/0 Telnet/SSH/Ping Access

cadet alain — Wed, 26 Oct 2011 21:38:02 GMT

Hi,

you can use this command:

hostname(config)# management access management_interface

Regards.

Alain.