cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
888
Views
5
Helpful
2
Replies

ASA management interfaces

Jordi Benet
Level 1
Level 1

Hi,

We have an ASA 5585-X SSP40 that has 2 management ports 0/0 and 0/1.

We have 2 Catalyst switches (switch1 and switch2) working as management switches and they carry the management VLAN.

I was wondering if we could connect management 0/0 to switch1 and management 0/1 to switch2 and configure both interfaces with an IP inside the management VLAN. So both interfaces will be in the same subnet.

 

My goal is if switch 1 fails I will still have reachability to the ASA through switch 2 and management port 0/1.

Thanks a lot.

Regards,

J

 

 

1 Accepted Solution

Accepted Solutions

Marvin Rhoads
Hall of Fame
Hall of Fame

Your addressed interfaces on a given ASA must all be in unique subnets. So you will not be able to configure both M0/0 and M0/1 in the same subnet.

That model of a firewall is almost always setup in an HA pair so the standby unit's M0/0 could be connected to switch 2.

You could also setup M0/1 in a unique subnet and create a new LAN for that on the switches.

One other option is to allow management access to the ASA via the inside interface (restricted to access from your designated admin networks if you like).

View solution in original post

2 Replies 2

Marvin Rhoads
Hall of Fame
Hall of Fame

Your addressed interfaces on a given ASA must all be in unique subnets. So you will not be able to configure both M0/0 and M0/1 in the same subnet.

That model of a firewall is almost always setup in an HA pair so the standby unit's M0/0 could be connected to switch 2.

You could also setup M0/1 in a unique subnet and create a new LAN for that on the switches.

One other option is to allow management access to the ASA via the inside interface (restricted to access from your designated admin networks if you like).

Thanks a lot Marvin. I will then use a different VLAN for each management interface.

I was thinking to channel them, but as our four ASA FWs are in cluster between DCs if we lose the management interface of one we will lose the management of all the ASA, so it is better to get a second VLAN and the port attached to the second switch.

 

Thanks for the help.

Regards,

J

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: