ASA 5500 and the management interface

tvolk · ‎02-07-2007

The ASA 5500 have there own management interface, but I? am not sure how to use it correctly. Lets say we use the outside inside and the management interface from the ASA.

Outside: 2.2.2.2/24

Inside: 10.1.0.1/16

Management:10.2.0.1/16

On the inside interface I have a L3 switch how manage all my VLANs. I have an admin network 10.222.0.0/16 where all admin people sitting, and then we have some management server like cw2000 or HPOV there placed on a server VLAN (10.100.0.0/16). If I point the routing for 10.222.0.0/16 and 10.100.0.0/16 to the management interface, then I? am not able to have normal traffic from this two networks thru the ASA. How can I solve this?

Thanks in advance and regards

Thomas

GRAEME DANIELSON · ‎02-08-2007

the short answer is I think you need to proxy the mgt interface traffic

I think you will find that any IP address that communicates directly with the mgt interface cannot also talk through the ASA e.g. your ASDM client or HPOV server, the traffic needs to be proxied. This is all because the ASA is running a single routing table - which INCLUDES the mgt interface traffic. The OOB management traffic is sharing the routing table.

I find this a very inconvenient "feature" of the ASA (unless I've misinterpreted it). Because of this, in smaller environments to my mind it seems easier to forget the dedicated mgt int and manage it directly through the inside interface.

It would be nice if the "management-only" interface traffic is exempt or excluded from the main routing table - maybe a little vrf-like technology inside would work here? Also, I don't know if contexts can assist here e.g. admin-context. I haven't really delved into context world... yet. (Do contexts have their own routing/fwding tables yet?)

If you don't have (or don't want?) a proxy, I guess an alternative would be to install additional LAN interfaces directly on the ASA mgt (V)LAN in all the devices you wish to communicate with the ASA mgt interface.

If anyone has anything to add, I'd love to be wrong about all this.

dahis · ‎03-26-2007

Hello, We setup a new ASA 5510. The small remote office VPN's in ok to resources on the inside. But the remote user is not able to ping through the outside (VPN'ed) interface to me on the management interface. I'm working with Cisco. We have covered ACL group-object, static routes, and management-access but this is a problem. Any idea?

Thanks, David

cpembleton · ‎03-26-2007

What model of the ASA are you using? I ask because the 5510 does not allow traffic to route through the ASA on the mangement port. It only can be used for mangement. This changes with the 5520 and up.

Thanks,

Chad

Please rate if this helps!

dahis · ‎03-27-2007

Ours is the ASA5510 ver.7,2,2. While the ASA's management interface is designed for management traffic only, accepting only incoming traffic; Cisco had me remove the 'management-only' command from the interface, disabling management-only mode so the interface should pass traffic just like any other interface.(I confirmed this on-line, viewing Cisco's Command Lookup Tool_management-only). This isn't a big problem. The remote user's (DSL/Cisco501/VPN)work good but occationally I want them to ping me on our management vlan to initiate a conversation (their's is a dynamic I.P.). Also, we have a SNMP monitoring program this may affect. Hey, thanks for the reply Chad.

David

Network Engineer