https://community.cisco.com/t5/network-security/question-about-defining-management-interface/m-p/1642369#M593294 <P>As you know the ASA has a port explicitly defined as the managment interface</P><P></P><P>you aslo must explicltly define ssh/telnet/http access using the ssh xxxx.xxx.xxxx.xxxx "interface"</P><P></P><P>My question is..what is the purpose of the "management-access (interface)" configuration statement?</P><P></P><P>once you allow ssh/http/ etc on any interface isnt that now a "managment" interface?</P><P></P><P>and for best practice should you only allow this on the ip of the managment interface?</P><P></P><P>so why would you need a management-access configuration statement?</P> Mon, 11 Mar 2019 19:40:43 GMT nygenxny123 2019-03-11T19:40:43Z https://community.cisco.com/t5/network-security/question-about-defining-management-interface/m-p/1642369#M593294 <P>As you know the ASA has a port explicitly defined as the managment interface</P><P></P><P>you aslo must explicltly define ssh/telnet/http access using the ssh xxxx.xxx.xxxx.xxxx "interface"</P><P></P><P>My question is..what is the purpose of the "management-access (interface)" configuration statement?</P><P></P><P>once you allow ssh/http/ etc on any interface isnt that now a "managment" interface?</P><P></P><P>and for best practice should you only allow this on the ip of the managment interface?</P><P></P><P>so why would you need a management-access configuration statement?</P> Mon, 11 Mar 2019 19:40:43 GMT https://community.cisco.com/t5/network-security/question-about-defining-management-interface/m-p/1642369#M593294 nygenxny123 2019-03-11T19:40:43Z https://community.cisco.com/t5/network-security/question-about-defining-management-interface/m-p/1642370#M593296 <HTML><HEAD></HEAD><BODY><P>Defining a specific interface for management prevents that interface from passing traffic between security zones. As you noted you can configure SSH on multiple interfaces, but that does not necessarily make it a management interface (I agree it may not make much sense). <SPAN style="font-family: courier new,courier;">management-access</SPAN>is handy for managing a device over a VPN. It's an in-band management feature, whereas a management interface is out-of-band.</P><P></P><P>Hope it makes sense.</P></BODY></HTML> Thu, 27 Jan 2011 15:43:08 GMT https://community.cisco.com/t5/network-security/question-about-defining-management-interface/m-p/1642370#M593296 Collin Clark 2011-01-27T15:43:08Z https://community.cisco.com/t5/network-security/question-about-defining-management-interface/m-p/1642371#M593299 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>Adding some information </P><P></P><P>Normally a device can only connect to interface at which it is placed, like a system sitting on outside will be able to access(ssh/ping) outside interface IP only (not inside), management-access command will allow you to connect to inside interface while physically on outside and you are connected through VPN. For example, if you enter the adaptive security appliance from the outside interface, this command lets you telnet/ping etc. the inside interface when entering from the outside interface (connected to VPN) but source IP should be allowed to access the interface. In this case you will have to use 'management-access inside' in global configuration. </P><P></P><P>Detail about this can be seen on following two links</P><P></P><P>Check section 'pinging another interface' on link: <A class="active_link" href="http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#topic2">http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#topic2</A></P><P></P><P>Command reference: <A class="active_link" href="http://www.cisco.com/en/US/docs/security/asa/asa83/command/reference/m.html#wp2112283">http://www.cisco.com/en/US/docs/security/asa/asa83/command/reference/m.html#wp2112283</A></P><P></P><P>There is another command 'management-only' which is for making an interface management only (no traffic across security zones), and you can use 'no management-only' for using dedicated management port as normal port. </P><P>Link: <A href="http://www.cisco.com/en/US/docs/security/asa/asa83/command/reference/m.html#wp2112407">http://www.cisco.com/en/US/docs/security/asa/asa83/command/reference/m.html#wp2112407</A><SPAN> </SPAN></P><P></P><P>-Shahid</P></BODY></HTML> Thu, 27 Jan 2011 18:16:58 GMT https://community.cisco.com/t5/network-security/question-about-defining-management-interface/m-p/1642371#M593299 shzaman 2011-01-27T18:16:58Z