11-14-2016 02:12 PM - edited 03-12-2019 01:32 AM
I have a question regarding setting up a management interface on an ASA 5516-x firewall. If I dedicate an interface to a management network and then create a static route rule on this management interface, then will the destination address go back out this interface if it comes in the management interface? So basically I will have an IT subnet that can access the management network but will also be part of the inside network, so I am not sure if the traffic destined to the IT subnet from the outside would go out the managment network instead of the inside interface since it will have a lower cost during normal browsing? Or do you dedicate a machine to the management network?
11-14-2016 07:24 PM
Historically an ASA only had a single routing table. That made use of the management interface for remote connections (e.g. off the connected management subnet) problematic.
Since ASA software 9.5(1) there is the option of using a separate management only routing table. The release notes cover this:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa95/release/notes/asarn95.html
Traffic THROUGH the ASA (e.g. from the outside) will not transit the management interface.
11-14-2016 10:33 PM
Thanks for the link. So I assume this means that if I mark an interface as management only, then the asa will use the management only routing table for lookups?
Does the firepower management interface need to be in the inside networks subnet now?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide