Access ASA for management
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-07-2024 05:03 PM - edited 10-07-2024 05:06 PM
In a previous post I had a problem where the ASA or the rest of devices in the management vlan are accessable by VPN but not all at the same time (https://community.cisco.com/t5/network-management/can-access-hosts-in-management-vlan-either-or-asa-management-ip/td-p/5203099).
The problem arose because the management vlan was accessible both via the transit VLAN (coming from L3 core switch) and directly connected on L2 to the ASA. So I have removed the L2 interface for vlan management on the ASA. Only the transit VLAN remains and the WAN interfaces of course.
For now I am able to manage the ASA on it's ip address in the transit VLAN (ASA 192.168.200.1/31, core 192.168.200.0/31).
I suspect that is not the best choice to have the ASA's management ip address on the transit VLAN.
My question is how to setup another interface for the management and being able to access the ASA coming from one of the internal VLANs through the transit VLAN to the ASA?
I already configure another interface with an ip address (i. e. 192.168.50.10) on the same trunk where the transit VLAN exists. I can ping the ASA but I am not able to access it via asdm and ssh. Packet tracer shows a drop/deny because of "implicit rule". I guess it's the global implicit rule. But doesn't make any sense to me.
When I move the management ip address (192.168.50.10) to a dedicated interface the ASA log shows that the traffic for routes to WAN because of the default route 0.0.0.0. It looks like the ASA doesn't know that this interface is locally connected and instead wants to forward that traffic to WAN.
- Labels:
-
Network Management
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-07-2024 06:58 PM
According to this post it's not possible to manage the ASA from another interface, only from the interface where the managenent pc is connected, in my case transit vlan.
https://community.cisco.com/t5/network-security/access-asdm-from-different-interface/td-p/4841949
Is that correct? If so how would you recommend to manage the ASA? On it's ip of the transit vlan?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-07-2024 10:06 PM
Hello!
I'm not sure I understandy you completely but in the case of access to ASA over VPN you can use only one interface by using the configuration below.
management-access nameif
If you are accessing the asa over a routed interface you can access it with any zone using the configuration:
ssh XX.XX.XX.0 255.255.255.0 nameif
BR
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-08-2024 12:49 AM
Not exactly.
Lets say I have interface inside and test. Clients are connected to inside. Currently ASA is manageable via asdm and ssh on it's interface ip address of inside. In my case all traffic from all VLANs behind inside (=transit) goes over it towards wan. I suspect it would be better to manage the ASA on the test interface but that doesn't work.
According to the other posting it sounds like this is by design.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-08-2024 03:13 AM
User-L3 device-ASA(test)
Use
management-access test
Ssh <user subnet>test
The subnet not need to be interface subnet it can any subnet connect to ASA via test interface.
MHM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-08-2024 10:07 AM
On the ASA there is only one interface transit (192.168.200.0/31 -> L3, 192.168.200.1/31 -> ASA) connecting L3 with ASA.
L2 VLAN 123 behind the L3 core should be able to manage the ASA but not on the transit ip address 192.168.200.1.
When I create another L2 interface on the ASA (the VLAN 123 for management), like I had it before, then I am able to manage everything in VLAN 123 via VPN but not the ASA itself OR the ASA only but no the endpoints in VLAN 123. Traffic seems to return a different way (from L2 VLAN 123 to transit to ASA) but when connected with VPN I have a direct connection to that L2 interface.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-08-2024 10:54 AM
This is example
Admin connect to ASA via IN interface
this how you can config it
MHM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-08-2024 11:02 AM - edited 10-08-2024 11:02 AM
When I understand you right, then I am connecting to the IP address of the IN interface (= transit) which the ASA has on it's side, correct?
IN -> L3 side, 192.168.200.0
IN -> ASA side, 192.168.200.1
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-08-2024 11:05 AM
IN -> L3 side, 192.168.200.0
IN -> ASA side, 192.168.200.1
sorry but you can see I use two subnet in my example 10.0.0.0/24 and 20.0.0.0/24
as I see you use same subnet ? are there L3 device between host and ASA ?
if there is L3 device then the subnet must be different
thanks
MHM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-08-2024 11:11 AM
Subnets behind the L3 are several VLANs. Between L3 and ASA is transit network 192.168.200.0 (L3) and 192.168.200.1 (ASA).
All traffic from the VLANs goes through the transit network to ASA towards WAN or other networks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-08-2024 11:14 AM
then the Admin PC IP must add as below
ssh <admin PC IP> IN
you can not use 192.168.200.0 in command above since the traffic is not source from this subnet IPs
MHM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-08-2024 11:17 AM
> ssh <admin PC IP> IN
Yes I know. But the admin PC will manage the ASA on it's ip address 192.168.200.1 (=the transit ip address). I would like to have it off that ip address. Like to have another network but seems not possible.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-08-2024 11:22 AM
ssh <admin PC IP> IN
admin PC IP here is source not destination
i.e.
PC have x.x.x.x and ASA IN interface have 192.168.200.1
the traffic will be
source x.x.x.x
dest 192.168.200.1
command use to specify the source of mgmt traffic
MHM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-08-2024 11:46 AM
Yes I have understood that. 192.168.200.1 is the ip address on ASA and that is the gateway in the route at the L3. In other words I would manage the ASA on the gateway ip address.
That is something I suspect it would be better to have the management on a different ip.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
10-08-2024 11:59 AM
unfortunately in ASA you can mgmt ASA from different interface
i.e.
the Admin PC connnect to IN and you want to mgmt ASA via different interface then that can not done
sorry
MHM
