cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1986
Views
5
Helpful
18
Replies

ASA 5520 Mngt0/0 Config

lsouthwood
Level 1
Level 1

We are getting ready to deploy 2 ASA 5520's to replace our PIX's. We were hoping to use the management interface on the ASA's. Currently we manage the PIX's via the inside interface. We have run into a problem that we cannot figure out. We have a lot of static routes on that route the same IP's we will be using for mnagement back through the inside interface. Is there some way we can configure the ASA's so that the traffic that hits the management0/0 interface goes back out that interface instead of following the static routes back out the inside interface?

Thanks

18 Replies 18

abinjola
Cisco Employee
Cisco Employee

yes you can, on ASA version 7.2.2 and above there is U-Turning feature that allows you to configure U turning for clear text traffic , you can route the traffic back from the same interface that it hits

what is your precise requirement ?

We are wanting to do SSH and ASDM management to the management port using tacacs authentication. Both the management PC's and the tacacs servers are on the internal network and static routes send their traffic through the 'inside' interface.

Forogt to say that we are on 8.0.2. Also were can I get information on setting up u-turning? I don't see much of anything in the config guide.

Thanks

you mean request would come all the way from

inside lan-->inside Interface-->Management Interface-->return back ?

By U -Turning I meant that source and destination needs to be behind management Interface

Request packet---------------)

Return Packet<--------------- Management

The request will come from the inside lan, but will got directly to the management interface. Both the inside and managment interfaces face the inside network.

inside lan-->Management Interface-->return back

Inside LAn facing Management Interface ? Is there a loop between inside interface and management ? not sure whats your topology but as I said U-turning would work without any issue

static (management,management) destination ip destination ip

nat (man) 1 0 0

global (man) 1 interface

same-security-traffic permit intraface

We are trying to prevent a loop. We have a route as such:

route inside 1.1.0.0 255.255.0.0 10.2.1.3 1

So, if my IP is 1.1.1.1, then the traffic will hit the management interface and route back out the inside interface, right? What we want to happen is the 1.1.0.0 IP's to hit the management interface and come back out that some interface.

OK, I tried putting the following commands into the config on our ASA:

static (management,management) 1.1.0.0 1.1.0.0 netmask 255.255.0.0

nat (management) 1 0 0

global (management) 1 interface

same-security-traffic permit intraface

Then I changed the route statement from route inside 1.1.0.0 255.255.0.0 10.2.1.3 1 to route management 1.1.0.0 255.255.0.0 192.2.1.3 1. After changing the route I could no longer access the management port or ping it. Right now we only have the management port connected to the network.

Did I do something wrong or am I missing something?

post your config here..and please let mee know your source and destination IP..?

The source IP (my PC) is 2.2.142.82 and the destination is the management interface which is 3.3.50.14. Here is the config when it works:

interface Management0/0

nameif management

security-level 100

ip address 3.3.50.14 255.255.255.0 standby 3.3.50.15

management-only

!

interface GigabitEthernet1/0

nameif inside

security-level 100

ip address 1.1.58.9 255.255.255.0 standby 1.1.58.10

nat (inside) 0 0.0.0.0 0.0.0.0

static (inside,intf2) 2.2.0.0 2.2.0.0 netmask 255.255.0.0

static (inside,intf3) 2.2.0.0 2.2.0.0 netmask 255.255.0.0

static (inside,intf4) 2.2.0.0 2.2.0.0 netmask 255.255.0.0

static (inside,outside) 2.2.0.0 2.2.0.0 netmask 255.255.0.0

route outside 0.0.0.0 0.0.0.0 3.3.97.3 1

route management 2.2.0.0 255.255.0.0 3.3.50.3 1

Then I added the following lines:

static (management,management) 2.2.0.0 2.2.0.0 netmask 255.255.0.0

nat (management) 1 0 0

global (management) 1 interface

same-security-traffic permit intra-interface

And changed the route for the 2.2.0.0 subnet back to what it is on the production PIX:

route inside 2.2.0.0 255.255.0.0 1.1.58.3 1

Let me know if there is more of the config that would be helpful. I tried to only include what I thought would be most helpful.

well the source is 2.2.142.82 and as per route route inside 2.2.0.0 255.255.0.0 1.1.58.3 1 , this source should be on inside, this will not work if the source is on inside and want to manage management Interface,

U-turning is hitting an interface from a source behind and then U-turning back the same interface

source1

|

ROuter---switch--->(Inside)ASA

|

|

destination

Now in the above scenario source 1 has default gateway as ASA inside Intrerface and needs to access a destination which is also behind ASA in another subnet, then U-Turning comes in the picture

Whats your scenario ? is your source coming from ? behing which Interface

Mark here source , destination and your configuration, (you may replace last octect as x for security)

The source (2.2.142.82) is behind both the inside and management interfaces. Both interfaces face the internal network. All traffic on the internal network goes through the inside interface. The question is whether or not PCs on the internal network can also use the managment interface too. Maybe a drawing would help. I have attached a jpg.

well add a static persistent route on your PC for 2.2.0.0 point it to management interface

Isn't that going to prevent the traffic that needs to go through the inside interface from getting to its destination? Besides once I change the router statement from:

route management 2.2.0.0 255.255.0.0 3.3.50.3 1

to:

route inside 2.2.0.0 255.255.0.0 1.1.58.3 1

I can't even ping the management interface anymore. I assume that's because the replies are trying to go out the inside interface which is NOT cabled up right now.

Currently we use the inside interface for managment on our PIX. It sounds more and more like that is what we are going to have to do on the ASA as well.

Review Cisco Networking for a $25 gift card