cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Bookmark
|
Subscribe
|
1011
Views
0
Helpful
15
Replies

Access ASA for management

mcgiga
Level 1
Level 1

In a previous post I had a problem where the ASA or the rest of devices in the management vlan are accessable by VPN but not all at the same time (https://community.cisco.com/t5/network-management/can-access-hosts-in-management-vlan-either-or-asa-management-ip/td-p/5203099).

The problem arose because the management vlan was accessible both via the transit VLAN (coming from L3 core switch) and directly connected on L2 to the ASA. So I have removed the L2 interface for vlan management on the ASA. Only the transit VLAN remains and the WAN interfaces of course.

For now I am able to manage the ASA on it's ip address in the transit VLAN (ASA 192.168.200.1/31, core 192.168.200.0/31).

I suspect that is not the best choice to have the ASA's management ip address on the transit VLAN.

My question is how to setup another interface for the management and being able to access the ASA coming from one of the internal VLANs through the transit VLAN to the ASA?

I already configure another interface with an ip address (i. e. 192.168.50.10) on the same trunk where the transit VLAN exists. I can ping the ASA but I am not able to access it via asdm and ssh. Packet tracer shows a drop/deny because of "implicit rule". I guess it's the global implicit rule. But doesn't make any sense to me.

When I move the management ip address (192.168.50.10) to a dedicated interface the ASA log shows that the traffic for routes to WAN because of the default route 0.0.0.0. It looks like the ASA doesn't know that this interface is locally connected and instead wants to forward that traffic to WAN.

15 Replies 15

mcgiga
Level 1
Level 1

According to this post it's not possible to manage the ASA from another interface, only from the interface where the managenent pc is connected, in my case transit vlan.

https://community.cisco.com/t5/network-security/access-asdm-from-different-interface/td-p/4841949

 

Is that correct? If so how would you recommend to manage the ASA? On it's ip of the transit vlan?

 

DanielP211
VIP Alumni
VIP Alumni

Hello!

I'm not sure I understandy you completely but in the case of access to ASA over VPN you can use only one interface by using the configuration below. 

management-access nameif

If you are accessing the asa over a routed interface you can access it with any zone using the configuration:

ssh XX.XX.XX.0 255.255.255.0 nameif

BR

****Kindly rate all useful posts*****

mcgiga
Level 1
Level 1

Not exactly.

Lets say I have interface inside and test. Clients are connected to inside. Currently ASA is manageable via asdm and ssh on it's interface ip address of inside. In my case all traffic from all VLANs behind inside (=transit) goes over it towards wan. I suspect it would be better to manage the ASA on the test interface but that doesn't work.

According to the other posting it sounds like this is by design.

User-L3 device-ASA(test)

Use

management-access test

Ssh <user subnet>test

The subnet not need to be interface subnet it can any subnet connect to ASA via test interface. 

MHM

On the ASA there is only one interface transit (192.168.200.0/31 -> L3, 192.168.200.1/31 -> ASA) connecting L3 with ASA.

L2 VLAN 123 behind the L3 core should be able to manage the ASA but not on the transit ip address 192.168.200.1.

When I create another L2 interface on the ASA (the VLAN 123 for management), like I had it before, then I am able to manage everything in VLAN 123 via VPN but not the ASA itself OR the ASA only but no the endpoints in VLAN 123. Traffic seems to return a different way (from L2 VLAN 123 to transit to ASA) but when connected with VPN I have a direct connection to that L2 interface.

This is example  

Admin connect to ASA via IN interface 

this how you can config it

MHM

Screenshot (824).png

When I understand you right, then I am connecting to the IP address of the IN interface (= transit) which the ASA has on it's side, correct?

IN -> L3 side, 192.168.200.0
IN -> ASA side, 192.168.200.1

IN -> L3 side, 192.168.200.0
IN -> ASA side, 192.168.200.1

sorry but you can see I use two subnet in my  example 10.0.0.0/24 and 20.0.0.0/24 

as I see you use same subnet ? are there L3 device between host and ASA ?

if there is L3 device then the subnet must be different 

thanks 

MHM

Subnets behind the L3 are several VLANs. Between L3 and ASA is transit network 192.168.200.0 (L3) and 192.168.200.1 (ASA).

All traffic from the VLANs goes through the transit network to ASA towards WAN or other networks.

then the Admin PC IP must add as below 
ssh <admin PC IP> IN 

you can not use  192.168.200.0 in command above since the traffic is not source from this subnet IPs

MHM

ssh <admin PC IP> IN 
Yes I know. But the admin PC will manage the ASA on it's ip address 192.168.200.1 (=the transit ip address). I would like to have it off that ip address. Like to have another network but seems not possible.

ssh <admin PC IP> IN  

admin PC IP here is source not destination

i.e.

PC have x.x.x.x and ASA IN interface have  192.168.200.1

the traffic will be 
source x.x.x.x
dest 192.168.200.1

command use to specify the source of mgmt traffic 

MHM

Yes I have understood that. 192.168.200.1 is the ip address on ASA and that is the gateway in the route at the L3. In other words I would manage the ASA on the gateway ip address.

That is something I suspect it would be better to have the management on a different ip.

unfortunately in ASA you can mgmt ASA from different interface 
i.e.
the Admin PC connnect to IN and you want to mgmt ASA via different interface then that can not done 

sorry

MHM