ASA 5516x Management routing

Phil Bradley · ‎11-14-2016

I have a question regarding setting up a management interface on an ASA 5516-x firewall. If I dedicate an interface to a management network and then create a static route rule on this management interface, then will the destination address go back out this interface if it comes in the management interface? So basically I will have an IT subnet that can access the management network but will also be part of the inside network, so I am not sure if the traffic destined to the IT subnet from the outside would go out the managment network instead of the inside interface since it will have a lower cost during normal browsing? Or do you dedicate a machine to the management network?

Marvin Rhoads · ‎11-14-2016

Historically an ASA only had a single routing table. That made use of the management interface for remote connections (e.g. off the connected management subnet) problematic.

Since ASA software 9.5(1) there is the option of using a separate management only routing table. The release notes cover this:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa95/release/notes/asarn95.html

Traffic THROUGH the ASA (e.g. from the outside) will not transit the management interface.

Phil Bradley · ‎11-14-2016

Thanks for the link. So I assume this means that if I mark an interface as management only, then the asa will use the management only routing table for lookups?

Does the firepower management interface need to be in the inside networks subnet now?