Solved: 5520 management port issue

darren.g · ‎10-26-2011

hi.

I've got a 5520 firewall (well, two, but they're active/passive, so one logical unit) and I've connected the management port to a VLAN in my infrastructure.

Which is fine if I access it from within the same subnet - I can access the management port with no problem.

However, if I try to access it from another subnet (one of our remote networks, for example), I can not access the management port because the remote network is in the routing table as being connected to the "inside" interface, and the traffic goes into the management interface but comes back out via the inside interface - and consequentrly fails because it's not a valid flow.

Is there any way to configure an ASA to force traffic/flows which come IN via the management interface to go back OUT the management interface?

I can still access the device to manage it - but I have to do so via the IP address of the inside interface if I'm anywhere but at the data centre physically plugged in to the segment used for the management addresses.

Config is as follows

Management subnet is 10.100.2.0/24 - interface address is 10.100.2.102. Default router for 10.100.2.0/24 is 10.100.2.254.

10.100.2.0/24 is also advertised via OSPF into the firewalls OSPF process (because this segment needs to be accessed via other interfaces as well as the "inside' network).

Exerpts from the routing table are below

O E1 10.50.12.0 255.255.255.0 [110/1011] via 10.100.0.254, 35:17:05, inside

O E1 10.0.252.193 255.255.255.255 [110/1011] via 10.100.0.254, 35:17:05, inside

C 10.100.2.0 255.255.255.0 is directly connected, mgmt

O 10.100.1.0 255.255.255.0 [110/11] via 10.100.0.254, 35:17:06, inside

S 10.10.0.121 255.255.255.255 [1/0] via 202.52.142.6, outside

S 10.10.0.122 255.255.255.255 [1/0] via 202.52.142.6, outside

C 10.100.0.248 255.255.255.248 is directly connected, inside

S* 0.0.0.0 0.0.0.0 [1/0] via x.x.x.x, outside

Now, I try to connect from a host in the 10.50.12.0/24 network to the address 10.100.2.102 - which fails dismally.

I don't even know if I can do what I want - in which case, I should just disconnect the management port and be done with it.

Comments welcomed.

Cheers.

Jon Marshall · ‎10-27-2011

Darren

Yes, it's bit of pain this one. What is needed is a separate vrf for the management interface then you can have a separate routing table just for the management interface. Unfortunately this isn't supported on the ASA.

The only solution i know if would be if the ASAs were connected to a 6500 switch. A 6500 is needed because that supports NAT so you can NAT the source IPs to the management vlan interface on the 6500 switch so that the traffic is automatically sent back out of the management interface to the 6500.

Jon

View solution in original post

Eugene Khabarov · ‎10-27-2011

Hi!

management interface is only for management and can't be used for traffic traversing through asa. You can't access to the asa through inside interface to the address on management. You can create route through management interface towards 10.50.12.0/24 subnet, but this subnet will not be able pass traffic through asa then.

___

HTH. Please rate this post if it was helpful. If this solves your problem, please mark this post as "Correct Answer"

darren.g · ‎10-27-2011

Eugene Khabarov wrote:

Hi!

management interface is only for management and can't be used for traffic traversing through asa. You can't access to the asa through inside interface to the address on management. You can create route through management interface towards 10.50.12.0/24 subnet, but this subnet will not be able pass traffic through asa then.

___

HTH. Please rate this post if it was helpful. If this solves your problem, please mark this post as "Correct Answer"

I'm not trying to use the Management interface to pass traffic.

The 10.50.12.0/24 is in the OSPF routing table for the site, of which the inside interface is in area 0.

The 10.100.2.0/24 subnet is *also* in the OSPF routing table in area 0, and is received by the firewall from the network core.

I could passive this network out of OSPF, but then none of the other devices in the 10.100.2.0/24 subnet would be accessible from my other sites.

I guess I'll just disconnect the management interface and do all my management via the inside interface instead.

Thanks.

Jon Marshall · ‎10-27-2011

Darren

Yes, it's bit of pain this one. What is needed is a separate vrf for the management interface then you can have a separate routing table just for the management interface. Unfortunately this isn't supported on the ASA.

The only solution i know if would be if the ASAs were connected to a 6500 switch. A 6500 is needed because that supports NAT so you can NAT the source IPs to the management vlan interface on the 6500 switch so that the traffic is automatically sent back out of the management interface to the 6500.

Jon

Eugene Khabarov · ‎10-28-2011

Cisco has the DDTS about this. I personally think that many peoples would vote for this enhancement if they can.

CSCtc54676

:

ENH: Separate OOB management routing table from global routing table

Symptom:

This is an enhancement request, not a software defect. Currently the management interface (management 0/0) uses the global routing table on the ASA (regardless whether it's in single mode or multiple-context mode). This might cause issue in situation where ASA and devices in the data path (that are behind an ASA) need to access hosts/devices on another interfaces behind the ASA. In this case, packets would end up be sent out on the management interface as it has a specific (longest-match) route, instead of using the default route causing asymmetric routing.

This request is to create an isolated routing table (perhaps a vrf) for the OOB management interface. This management interface routing instance/table is in the control path and be completely separated from the datapath routing table/instance.

With this, datapath traffic will be routed using the global (datapath) routing table and thus not be routed out to the (wrong) management interface.

darren.g · ‎10-31-2011

jon.marshall wrote:

Darren

Yes, it's bit of pain this one. What is needed is a separate vrf for the management interface then you can have a separate routing table just for the management interface. Unfortunately this isn't supported on the ASA.

The only solution i know if would be if the ASAs were connected to a 6500 switch. A 6500 is needed because that supports NAT so you can NAT the source IPs to the management vlan interface on the 6500 switch so that the traffic is automatically sent back out of the management interface to the 6500.

Jon

Jon.

I figured that was the case, I just wondered if there was some magic solution that I'd forgotten (it's been so long since I did PIX/ASA training it's not funny!).

At my last job we used Palo Alto firewalls, and they have the management plane completely seperate from the data plane - so you can do this quite happily, and never need to access the management interface via the connected data/firewalling interface (although you can if you wish) - I was hoping that Cisco had done something similar.

Not to worry - I'll just disconnect the management port (since it's useless in my configuration anyway) and manage it via the "inside" interface.

Thanks for commenting.

Darren

Peter Koltl · ‎05-22-2018

ASA 9.5.1 introduced separate routing table for management interface.