02-20-2008 10:25 AM - edited 03-11-2019 05:05 AM
We are getting ready to deploy 2 ASA 5520's to replace our PIX's. We were hoping to use the management interface on the ASA's. Currently we manage the PIX's via the inside interface. We have run into a problem that we cannot figure out. We have a lot of static routes on that route the same IP's we will be using for mnagement back through the inside interface. Is there some way we can configure the ASA's so that the traffic that hits the management0/0 interface goes back out that interface instead of following the static routes back out the inside interface?
Thanks
02-22-2008 03:02 PM
well if you ping the management interface , you will get a reply back from it, there is no routing involved here, do you see ICMP packets reaching the man interface ?debug icmp trace
?
02-25-2008 06:15 AM
On our production PIX we have the following route statement:
route inside 2.2.0.0 255.255.0.0 1.1.58.3 1
On the ASA, we only have the managment interface connected to the network. I have to change the routing statement above to the one below to even be able to ping the management interface:
route management 2.2.0.0 255.255.0.0 3.3.50.3 1
NOTE: The two interfaces use different gateway's on our 6509 switch.
06-19-2008 08:47 PM
Isouthwood,
I have exactly the same issue. See my attached jpg.
If host1 manages the ASA through the management interface, the return traffic comes back from the ASA through the inside interface because the ASA appears to use the same routing table for the management interface as all the firewall interfaces (ie the management interface does not appear to be a true out of band interface even with the management-only command). I was hoping to find some command that allows a default gateway to be set for the management interface only.
The end goal is for host1 to act as both a management station of the ASA (via Man0/0) and as a host that would access host2 through the firewalls normal interfaces. With only one routing table being used, this seems impossible (unless host 1 is directly connected to the subnet of the management interface).
06-24-2008 06:49 PM
Hi,
I am afraid you can't achieve what you are trying to because the ASA does not support VRF nor Policy based routing type of features. The only work around I can see is adding a second NIC to the management host and place it on the management segment for management purpose only. You will configure that second NIC without defafult gateway so that all other traffic goes out the first NIC towards the inside interface of the firewall.
The other alternative - of course - is using the inside interface for management purpose as well as packet forwarding the same as you are doing with your current PIX.
I hope it helps :-)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide