Solved: If you've allowed management

darkliteBE · ‎12-07-2014

Hello,

This concerns a ASA 5512-X.

I've got two subnets:
- the management one: 10.10.0.0
- the internal one: 10.10.1.0

I've configured the 'management access' that these addresses can access the ASDM. However I'm not able to connect to the management one from the internal one.

The interfaces are:
management
IP: 10.10.0.1
Subnet: 255.255.255.0

intern:
IP: 10.10.1.1
Subnet: 255.255.255.0

I've put the security level to:
intern: 100
management: 90

I've not added any static routes.

I've enabled the following options:
- traffic between two or more interfaces which are configured with the same security levels;
- traffic between two or more hosts connected to the same interface.

Could someone help me out with this problem?

Thanks.

Marvin Rhoads · ‎12-07-2014

If you've allowed management access via the internal interface then you just direct ASDM to that address. As long as the ASA can route back to the client from that address it will work fine.

View solution in original post

Marvin Rhoads · ‎12-07-2014

Many customers opt not to use the ASA's physical management interface because routing to/from it can be problematic.

An ASA only has a single routing table (assuming single context). So it only knows about connected, static routes and any dynamic routing process-learned (EIGRP, OSPF etc) routes. Without static or dynamic routes, it would only know connected interfaces.

So if traffic arrives at the management interface from any address not on the same subnet, the ASA does not have a valid return path for it. Traffic cannot flow from the management interface "through" the ASA (i.e., ingress to the management interface and egress via a different interface).

One can work around with some static routes on the management interface but that can often adversely affect your production traffic if your're not careful.

Devices with more robust management interfaces often have a separate VRF (routing instance) dedicated to management.

darkliteBE · ‎12-07-2014

So I'm not able to connect to the ADSM from the 'internal interface' in stead of the 'management interface'?

Marvin Rhoads · ‎12-07-2014

Absent any static routes, a client using ASDM who is not already on the management network will not be able to connect to the ASA's management interface.

Follow the traffic flow logic:

1. Client on internal network launches ASDM and directs the session to the ASA management interface. So the client PC needs to establish a route to the ASA management IP and setup TCP connection for use by https (ASDM).

2. The client's gateway routes traffic to the management subnet, traffic arrives at ASA management interface.

3. ASA receives the TCP connection setup (3-way handshake beginning with client sending SYN requiring ASA to reply with SYN-ACK).

Now it needs to reply. To do so it needs to determine egress interface. The only way it knows to reach internal network is via the connected internal interface but that would result in SYN-ACK coming from an address other that the one the client sent the SYN to so communication is never established.

darkliteBE · ‎12-07-2014

How would one connect then to the ASDM? Via VPN? Would that be possible?

Marvin Rhoads · ‎12-07-2014

If you've allowed management access via the internal interface then you just direct ASDM to that address. As long as the ASA can route back to the client from that address it will work fine.

darkliteBE · ‎12-07-2014

How would I do that? I've put the client address 10.10.1.0 in the ADSM, but I can't browse to it.

Thank you for your help!

darkliteBE · ‎12-07-2014

Oh, I understand now. I have to browse to 10.10.1.1 in stead of 10.10.0.1.

The problem is solved. I can access ASDM via another subnet.

Access ASDM from different subnet