cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2422
Views
5
Helpful
2
Replies

ASA Management Interface

tomyip
Level 1
Level 1

I have configured the management interface on an ASA 5525 as follows:

interface Management0/0
description MGMT link to GOLABC012SW - F1/0/17 - VLAN 701
management-only
nameif management
security-level 100
ip address 143.16.191.45 255.255.255.0

The ASA is directly connected to the switch with the following switchport config:

interface FastEthernet1/0/17
description ASA MGT port 00
switchport access vlan 701
switchport mode access
spanning-tree portfast

!

interface Vlan701
description Network lab management VLAN
ip address 143.16.191.15 255.255.255.0

The management interface on the ASA and switch is up/up. From the switch I can ping the ASA. But from the ASA I can't ping the switch and I can't even ping my own IP address at 143.16.191.45 on the ASA let alone anything on the 143.16.191.x subnet.

GOLABASA1/sec/actNoFailover# ping 143.16.191.45
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 143.16.191.45, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)

Here's my ARP table from the ASA. So I am seeing IP hosts from the 143.16.191.x in the ARP table. 

GOLABASA1/sec/actNoFailover# sh arp
outside 193.17.99.65 7081.057c.9501 0
serverlan 143.16.80.53 6c20.5665.5ec0 5246
serverlan 143.16.80.49 1cdf.0f83.3240 10814
management 143.16.191.1 7c95.f35b.4ef3 10184
management 143.16.191.26 b4a4.e3ee.96c1 12505
management 143.16.191.29 8cb6.4ff4.51c1 12512

Anyway, I'm a bit of a novice on ASA firewalls. I think I may missing something very basic. Any suggestions on what else to look for would be much appreciated.

2 Replies 2

Rahul Govindan
VIP Alumni
VIP Alumni

Can you try "ping management 143.16.191.45"? The newer ASA software versions (9.5 and above) have a separate routing table for management which may be why your ping might be failing. 

That worked! 

GOLABASA1/sec/actNoFailover# ping management 143.16.191.45
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 143.16.191.45, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
GOLABASA1/sec/actNoFailover# ping management 143.16.191.15
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 143.16.191.15, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
GOLABASA1/sec/actNoFailover# ping management 143.16.191.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 143.16.191.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/10 ms

I can see the separate routing table.

GOLABASA1/sec/actNoFailover# show route management-only


Routing Table: mgmt-only
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is not set

S 143.0.0.0 255.0.0.0 [1/0] via 143.16.191.15, management
C 143.16.191.0 255.255.255.0 is directly connected, management
L 143.16.191.45 255.255.255.255 is directly connected, management

Is there a way to integrate/combine the management routing table with the global routing table? Or at least make the two routing tables learn about each other?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: