Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
652
Views
0
Helpful
3
Replies

ASA 5512X Seperate Management Network

mohamadb72
Level 1
Level 1

‎08-23-2013 10:28 AM - edited ‎03-11-2019 07:30 PM

Hello,

I have the following problem: I am using a management-only interface on ASA 5512X. This management interface is directly connected to a management network. i have configured the ASA to allow VPN on the inside and assign addresses from a pool in the management network, And the ASA is successfully managed through the management interface after that, but there are also a couple of switches and routers connected to the same Management network as the ASA that should be managed when i am connected to the VPN tunnel.

Because the directly connected interface is a management-only one, I could not do that. (The ASA is logging the following message: "Through-the-device packet to/from management-only network is denied")

Please, does any one knows how to solve this issue. I want to use the Management IF for management.

Have a nice day!

Labels:
0 Helpful
3 Replies 3

Jonathan Woods
Level 1
Level 1

‎08-29-2013 08:17 AM

The management interface is strictly for managing the device. The management interface will not pass traffic destined for anywhere other than itself. There is no "fix" for this. That would be a major vulnerability if traffic were allowed to pass to a management interface and then to the network...it would bypass the ACL's on the inside/outside interfaces.

What you'll need is a link to a switch on the inside that has layer-3 switching capability to switch to the correct vlan/network to access your management network on the inside.

Hope that helps.

0 Helpful

mohamadb72
Level 1
Level 1
In response to Jonathan Woods

‎08-30-2013 04:16 AM

Thank you very much for your support, i will try out this solution.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame

‎08-29-2013 10:03 PM

Don't use a VPN address pool from the management network. Use one from inside network or a made up one. Put a route on your inside network for the management network broken down to a more specific subnet than the one in use so incoming traffic will prefer that over the direct connected.

If we assume mgmt is 192.168.1.0/24, then put route statements similar to:

route inside 192.168.1.0 255.255.255.128

route inside 192.168.1.128 255.255.255.128

route inside 192.168.1.128 255.255.255.255

That way all VPN clients with traffic destined for management network leve the ASA and go via inside gateway router to come back around into management network.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card