Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
688
Views
0
Helpful
3
Replies

Allow management interface to connect to evil internet?

lonelyadmin
Level 1
Level 1

‎10-17-2018 12:45 PM - edited ‎02-21-2020 08:22 AM

I have a management network for most all of my gear which sits in the same network as the management interface on my asa 5516-X interface. It's basically a simply L3 vlan that all the management interfaces on servers, network gear, etc connect to. On every thing else, the management interface is on the mgmtVrf (or it's equivalent on non-Cisco gear). Some of the devices on that network need to get out to the outside interface for NTP, updates, etc. I cannot remove the management-only config on that interface. I do use that interface for ASDM and FP access.

 

How can I go about allowing certain traffic out the internet or DMZ from the Management interface/network on the ASA? I was thinking about creating transit network that my management network could use and then just use an inside interface on the ASA...but that just seems wrong to me.

0 Helpful
3 Replies 3

balaji.bandi
Hall of Fame
Hall of Fame

‎10-17-2018 12:53 PM

it is possible but what is that certain traffic ? but management is only for OOB for best practice.

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

lonelyadmin
Level 1
Level 1
In response to balaji.bandi

‎10-17-2018 01:07 PM

Some of the devices on the management network phone home to a vendor website for updates (which I can lock down via IP, port, protocol, etc.). They have no other interfaces available...I'd prefer to keep them as OOB as possible. If I can't allow some of the management/OOB devices out, I might look at just creating another management network that I'll isolate virtually as much as possible and allow it access out as needed.
0 Helpful

mkazam001
Level 3
Level 3

‎11-03-2018 04:17 PM

the asa mgmt interface does not pass normal data traffic unless you use the int sub-cmd - no management-only.

hope that helps.

azam

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card