cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
651
Views
0
Helpful
3
Replies

ASA 5512X Seperate Management Network

mohamadb72
Level 1
Level 1

Hello,

I have the following problem: I am using a management-only interface on ASA 5512X. This management interface is directly connected to a management network. i have configured the ASA to allow VPN on the inside and assign addresses from a pool in the management network, And the ASA is successfully managed through the management interface after that, but there are also a couple of switches and routers connected to the same Management network as the ASA that should be managed when i am connected to the VPN tunnel.

Because the directly connected interface is a management-only one, I could not do that. (The ASA is logging the following message: "Through-the-device packet to/from management-only network is denied")

Please, does any one knows how to solve this issue. I want to use the Management IF for management.

Have a nice day!

3 Replies 3

Jonathan Woods
Level 1
Level 1

The management interface is strictly for managing the device. The management interface will not pass traffic destined for anywhere other than itself. There is no "fix" for this. That would be a major vulnerability if traffic were allowed to pass to a management interface and then to the network...it would bypass the ACL's on the inside/outside interfaces.

What you'll need is a link to a switch on the inside that has layer-3 switching capability to switch to the correct vlan/network to access your management network on the inside.

Hope that helps.

Thank you very much for your support, i will try out this solution.

Marvin Rhoads
Hall of Fame
Hall of Fame

Don't use a VPN address pool from the management network. Use one from inside network or a made up one. Put a route on your inside network for the management network broken down to a more specific subnet than the one in use so incoming traffic will prefer that over the direct connected.

If we assume mgmt is 192.168.1.0/24, then put route statements similar to:

route inside 192.168.1.0 255.255.255.128

route inside 192.168.1.128 255.255.255.128

route inside 192.168.1.128 255.255.255.255

That way all VPN clients with traffic destined for management network leve the ASA and go via inside gateway router to come back around into management network.

Review Cisco Networking for a $25 gift card