Solved: Re: Access ASDM from the BVI interface (ASA 5508X)

mnice · ‎11-08-2019

Hello

I'm new to cisco ASA with Firepower if possible to help me on this subject

I have an architecture where my ASA is between two switchs L2 in truck mode I used the transparent mode with BVI interfaces to pass the trafic from switch 1 (Inside) to switch 2 (Outside,side of gateway) it works but I have some problem as shown below:

- Since the ASA I can ping a single gateway of both VLANs but all hosts are pingable
- I can't use the BVI interface as an access interface with the ASDM (BVI interface not pingable)
- I have an oracle cluster with a virtual interface that I can't ping knowing that the physical interfaces are accessible

I attach the architecture and configuration of the ASA ,

Thank you in advance for your help

Regards.

Sheraz.Salim · ‎11-11-2019

My outside access network is 192.168.1.0/24
Network dedicated to the management interface on ASA is 10.0.186.0/24
At the ASA I add #route management 192.168.1.0 255.255.255.0 10.0.186.0

it would be like this.

interface man0/0

nameif mgmt

managment-only

security-level 100

ip address 10.0.186.1 255.255.255.0

no shut

!

route mgmt 0.0.0.0 0.0.0.0 10.0.186.254

- Another question is the transparent mode with BVI that I have chosen correct for my architecture or can I use another solution to pass traffic (Vlan 185 and Vlan 184) between the ASA?

-if you have mutlicontext licenses you can create a separate context and segregate each BVI to into a specific context.

In my case if I want to use the BVI20 interface of the firewall as a management interface (ASDM) what I must add to the configuration in order to a access from the outside ?

the default gateway of the transparent firewall is typicall the downstream router towards the inside interface when the managment interface is not in use. therefore the router will be

!

router inside 0.0.0.0 0.0.0.0 172.16.1.2

please do not forget to rate.

View solution in original post

Sheraz.Salim · ‎11-09-2019

The transparent mode allows you to assign an IP address to a management interface.
If you are not using a dedicated management interface, the default gateway of the trans-parent firewall is typically the downstream router toward the inside interface. The security appliance sends traffic to the default gateway for the networks that it does not know about. If you are using a dedicated management interface, the default gateway is typically the router that resides toward the management interface.

please do not forget to rate.

mnice · ‎11-09-2019

Hello Salim

Thank you so much for your return.

- In my case if I want to use the BVI20 interface of the firewall as a management interface (ASDM) what I must add to the configuration in order to a access from the outside ?

- And If I use the didicated management interface I have to assign a subnetwork different from the VLan 184,481 and 185,581 and also create the gateway at my L3 router after I add a route to the management interface for example:

My outside access network is 192.168.1.0/24
Network dedicated to the management interface on ASA is 10.0.186.0/24
At the ASA I add #route management 192.168.1.0 255.255.255.0 10.0.186.0

- Another question is the transparent mode with BVI that I have chosen correct for my architecture or can I use another solution to pass traffic (Vlan 185 and Vlan 184) between the ASA?

Thank you again for your help

Regards.

Sheraz.Salim · ‎11-11-2019

My outside access network is 192.168.1.0/24
Network dedicated to the management interface on ASA is 10.0.186.0/24
At the ASA I add #route management 192.168.1.0 255.255.255.0 10.0.186.0

it would be like this.

interface man0/0

nameif mgmt

managment-only

security-level 100

ip address 10.0.186.1 255.255.255.0

no shut

!

route mgmt 0.0.0.0 0.0.0.0 10.0.186.254

- Another question is the transparent mode with BVI that I have chosen correct for my architecture or can I use another solution to pass traffic (Vlan 185 and Vlan 184) between the ASA?

-if you have mutlicontext licenses you can create a separate context and segregate each BVI to into a specific context.

In my case if I want to use the BVI20 interface of the firewall as a management interface (ASDM) what I must add to the configuration in order to a access from the outside ?

the default gateway of the transparent firewall is typicall the downstream router towards the inside interface when the managment interface is not in use. therefore the router will be

!

router inside 0.0.0.0 0.0.0.0 172.16.1.2

please do not forget to rate.

mnice · ‎11-18-2019

Hello Salim

Sorry for the late return because I've been busy

I'm going to do the test tomorrow and come back to you

Thank you very much for your support.

Regards.

NEHAR Mohamed.

mnice · ‎12-01-2019

Hello Salim

Sorry for the late return

The solution work, thank you for your great support.

Regards.

NEHAR Mohamed.

Sheraz.Salim · ‎12-01-2019

hello NEHAR Mohamed,

you mind to share your final firewall configuration please.

please do not forget to rate.

mnice · ‎12-09-2019

Hello Salim

Sorry for the late return

Attahed the configuration.

Regards.

NEHAR Mohaled.