hi,
in addition to above, it seems routing our core IP network via management interface is giving me a hard time. is it possible to use the management interface for normal routing and SNMP?
i was contemplating in using another GE port for our 'inside' network instead of MGMT port and the existing GE for our client (like a DMZ).
i got ACL drop on PT saying 'mgmt-deny-all' even though permit IP any any is already applied on the MGMT interface. i tried the 'out' direction on the access-group command but no joy. is there a global explicit deny that i may overlooked?
# packet-tracer input outside icmp 202.26.16.77 8 0 202.8.6.17 det
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 202.8.6.17 255.255.255.255 management
Phase: 2
Type: ACCESS-LIST
Subtype: log
Result: ALLOW
Config:
access-group OUTSIDE in interface outside
access-list OUTSIDE extended permit icmp any 202.8.6.0 255.255.240.0
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff30d53760, priority=13, domain=permit, deny=false
hits=18, user_data=0x7fff29133800, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
dst ip/id=202.78.16.0, mask=255.255.240.0, icmp-code=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 3
Type: NAT
Subtype: per-session
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff2faccba0, priority=0, domain=nat-per-session, deny=true
hits=649, user_data=0x0, cs_id=0x0, reverse, use_real_addr, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=any
Phase: 4
Type: IP-OPTIONS
Subtype:
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff3059cb30, priority=0, domain=inspect-ip-options, deny=true
hits=315, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 5
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff30cf3b90, priority=70, domain=inspect-icmp, deny=false
hits=19, user_data=0x7fff30cf2f90, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 6
Type: INSPECT
Subtype: np-inspect
Result: ALLOW
Config:
Additional Information:
Forward Flow based lookup yields rule:
in id=0x7fff30cf8900, priority=70, domain=inspect-icmp-error, deny=false
hits=19, user_data=0x7fff30cf7d00, cs_id=0x0, use_real_addr, flags=0x0, protocol=1
src ip/id=0.0.0.0, mask=0.0.0.0, icmp-type=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, icmp-code=0, tag=0, dscp=0x0
input_ifc=outside, output_ifc=any
Phase: 7
Type: ACCESS-LIST
Subtype: mgmt-deny-all
Result: DROP
Config:
Additional Information:
Forward Flow based lookup yields rule:
out id=0x7fff3064a0a0, priority=200, domain=mgmt-lockdown, deny=true
hits=24, user_data=0x0, cs_id=0x0, reverse, flags=0x0, protocol=0
src ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0
dst ip/id=0.0.0.0, mask=0.0.0.0, port=0, tag=0, dscp=0x0
input_ifc=any, output_ifc=management
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: management
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
ccess-list MGMT extended permit icmp any any time-exceeded
access-list MGMT extended permit icmp any any unreachable
access-list MGMT extended permit tcp host <SSH NMS> host 172.27.0.124 eq ssh
access-list MGMT extended permit ip any any log
access-group OUTSIDE in interface outside
access-group inside in interface inside
access-group MGMT in interface management
