topic Re: ASA Management Interface Best Practives in Network Security

ASA Management Interface Best Practives

ServerCaseUK — Fri, 21 Feb 2020 15:53:05 GMT

Hello, I wonder if you could help. I am in the process of upgrading from an ASA 5505 to a 5515-X.

On the 5505 I had an IP restriction for the HTTPS/ASDM setup on the outside interface, worked great. Of course, these firewalls didn't come with a dedicated management interface.

On the new 5515-X the default is 192.168.1.1 on the dedicated management interface. The ASA will be going into a datacentre, so I would still ideally need to have HTTPS/ASDM access through its outside interface, IP restricted of course.

What is the best practice with setting this up please? I know some CLI, but I prefer to use ASDM.

There will be a site-to-site VPN I will be setting up not long after the deployment of the firewall, so I will probably use VPN access only for the HTTPS/ASDM, but for the moment I will need to open it on the outside interface, IP restricted.

Thanks!

Re: ASA Management Interface Best Practives

Rob Ingram — Thu, 14 Jun 2018 21:05:39 GMT

Hi, Best practice would to not allow management access from outside, but if you need to, then I've included a copy of my lab configuration below.

domain-name lab.net
username admin password PASSWORD privilege 15
http server enable
aaa authentication http console LOCAL
http 192.168.11.0 0.0.0.255 INSIDE
crypto key generate rsa modulus 2048
aaa authentication ssh console LOCAL
ssh version 2
ssh 192.168.10.0 0.0.0.255 INSIDE
ssh 192.168.11.0 0.0.0.255 INSIDE
ssh timeout 30

Just replace the IP address range with your subnet you will permit access from and replace inside with the name of your outside interface.

Another BP would be to actually use TACACS+ or RADIUS for management to control user access.

HTH

Re: ASA Management Interface Best Practives

ServerCaseUK — Thu, 14 Jun 2018 21:15:06 GMT

Thanks for the reply.

I don't mind installing ASDM on one of the servers inside the firewall - I can just RDP in (or VPN once I setup the site-to-site). Is there a way through ASDM to set the Inside interface as the management interface with HTTPS running for ASDM access?

Thanks!

Re: ASA Management Interface Best Practives

Rob Ingram — Thu, 14 Jun 2018 21:18:33 GMT

Hi,
You can just use the commands provided above, modifying the subnet and specifying the correct inside interface name. You don't specifically need to use a dedicated management interface.

HTH

Re: ASA Management Interface Best Practives

ServerCaseUK — Thu, 14 Jun 2018 21:38:24 GMT

Thanks - I will give that a try.

Re: ASA Management Interface Best Practives

Rob Ingram — Thu, 14 Jun 2018 21:53:38 GMT

When you do come to manage the ASA over the VPN, you will need to enter the command "management access <inside interface name>" this allows the ability to manage the ASA on an interface other than the one from which you entered the ASA.

HTH