06-12-2017 10:35 AM - edited 03-12-2019 02:29 AM
I have configured the management interface on an ASA 5525 as follows:
interface Management0/0
description MGMT link to GOLABC012SW - F1/0/17 - VLAN 701
management-only
nameif management
security-level 100
ip address 143.16.191.45 255.255.255.0
The ASA is directly connected to the switch with the following switchport config:
interface FastEthernet1/0/17
description ASA MGT port 00
switchport access vlan 701
switchport mode access
spanning-tree portfast
!
interface Vlan701
description Network lab management VLAN
ip address 143.16.191.15 255.255.255.0
The management interface on the ASA and switch is up/up. From the switch I can ping the ASA. But from the ASA I can't ping the switch and I can't even ping my own IP address at 143.16.191.45 on the ASA let alone anything on the 143.16.191.x subnet.
GOLABASA1/sec/actNoFailover# ping 143.16.191.45
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 143.16.191.45, timeout is 2 seconds:
?????
Success rate is 0 percent (0/5)
Here's my ARP table from the ASA. So I am seeing IP hosts from the 143.16.191.x in the ARP table.
GOLABASA1/sec/actNoFailover# sh arp
outside 193.17.99.65 7081.057c.9501 0
serverlan 143.16.80.53 6c20.5665.5ec0 5246
serverlan 143.16.80.49 1cdf.0f83.3240 10814
management 143.16.191.1 7c95.f35b.4ef3 10184
management 143.16.191.26 b4a4.e3ee.96c1 12505
management 143.16.191.29 8cb6.4ff4.51c1 12512
Anyway, I'm a bit of a novice on ASA firewalls. I think I may missing something very basic. Any suggestions on what else to look for would be much appreciated.
06-12-2017 12:49 PM
Can you try "ping management 143.16.191.45"? The newer ASA software versions (9.5 and above) have a separate routing table for management which may be why your ping might be failing.
06-13-2017 08:25 AM
That worked!
GOLABASA1/sec/actNoFailover# ping management 143.16.191.45
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 143.16.191.45, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
GOLABASA1/sec/actNoFailover# ping management 143.16.191.15
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 143.16.191.15, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
GOLABASA1/sec/actNoFailover# ping management 143.16.191.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 143.16.191.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/4/10 ms
I can see the separate routing table.
GOLABASA1/sec/actNoFailover# show route management-only
Routing Table: mgmt-only
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is not set
S 143.0.0.0 255.0.0.0 [1/0] via 143.16.191.15, management
C 143.16.191.0 255.255.255.0 is directly connected, management
L 143.16.191.45 255.255.255.255 is directly connected, management
Is there a way to integrate/combine the management routing table with the global routing table? Or at least make the two routing tables learn about each other?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide