topic Configuring ASA Management on a sub-interface in Network Security

Configuring ASA Management on a sub-interface

Ahmad Samir — Mon, 11 Mar 2019 18:17:36 GMT

Dear All

I have two ASA 5520 with 4 Giga interfaces and 1 management interface.

I need to use 4 interfaces four data traffic

1- Inside

2- Outside

3- dmz-1

4- dmz-2

The remaining will be the management interface only.How can I configure the Statefull failover and Management?

What I did?

1- I used the management0/0 for The stateful failover.

2- I used gig 0 for outside

3- I used gig 1 for inside

4- I used gig 2 for dmz-1

5- I divided the gig 3 to two sub interfaces

a- gig0/3.1 for dmz-2

b- gig0/3.2 for Management and I defined it as a management-only

Does anyone has comments or recommendatiosn on this design? Please advise.

Thanks on advance,

Re: Configuring ASA Management on a sub-interface

August Ritchie — Wed, 28 Jul 2010 21:07:49 GMT

The way that you propose is fine, but what is the reason for needing a management-only interface? If it is more convenient you can manage from any interface that you are behind.

Re: Configuring ASA Management on a sub-interface

Ahmad Samir — Sun, 01 Aug 2010 07:14:34 GMT

Dear August

Thanks for your reply.

I just put it to follow the security standard of having a didicated management interface for the ASA.

Do you have any concern about configuring the management 0/0 with stateful and lan faiover?

Thanks,

Re: Configuring ASA Management on a sub-interface

Magnus Mortensen — Mon, 02 Aug 2010 00:24:30 GMT

Ahmad, it is recomended to have a stateful failover interface that is as fast as the fastest traffic passing interface. With your design that would have to be one if the Gig ports. This is to ensure that failover stateful info is not going to overload the failover link. I do not have the document infront of me, but im sure it is documented somewhere. - Magnus

Re: Configuring ASA Management on a sub-interface

Jitendriya Athavale — Mon, 02 Aug 2010 05:07:10 GMT

as magnus suggested, it is not recommended to use management interface for state

ful failover

here is the link which has cisco recommendations

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807dac5f.shtml#intro

Re: Configuring ASA Management on a sub-interface

Magnus Mortensen — Mon, 02 Aug 2010 05:16:13 GMT

Jitendriya,

Thanks for the link. Ahmad, the key lines in that document are as follows:

"Cisco recommends that you do not use the management interface for failover, especially for stateful failover in which the security appliance constantly sends the connection information from one security appliance to the other. The interface for failover must be at least of the same capacity as the interfaces that pass regular traffic, and while the interfaces on the ASA 5540 are gigabit, the management interface is FastEthernet only. The management interface is designed for management traffic only and is specified as management0/0."

- Magnus

Configuring ASA Management on a sub-interface

Ben Quinata — Wed, 02 Nov 2011 18:15:09 GMT

I'm in the same situation with a pair of 5520s. For clarification I found the following excerpt from Cisco Docs stating different requirements for various ASA models. Link at the bottom.

Failover Interface Speed for Stateful Links

If you use the failover link as the Stateful Failover link, you should use the fastest Ethernet interface available. If you experience performance problems on that interface, consider dedicating a separate interface for the Stateful Failover interface.

Use the following failover interface speed guidelines for the adaptive security appliances:

•Cisco ASA 5510

–Stateful link speed can be 100 Mbps, even though the data interface can operate at 1 Gigabit due to the CPU speed limitation.

•Cisco ASA 5520/5540/5550

–Stateful link speed should match the fastest data link.

•Cisco ASA 5580/5585

–Use only non-management 1 Gigabit ports for the stateful link because management ports have lower performance and cannot meet the performance requirement for stateful failover.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ha_overview.html#wp1078922