Solved: ASA 5545 Management Interface Connectivity

mattipler · ‎10-25-2017

Hey guys,

Having an issue with connectivity to the management int on my ASA. Apologies if this is something very obvious but this is not BAU task for me.

My "management" interface is configured as management-only and accessible (through SSH or ADSM) but only if I'm connected to and have an IP address assigned within the management VLAN /subnet into which the interface connects. It is the actual management interface i'm utilising (I believe this is referred to as out of band - could be wrong?).

I have managed to get around this by setting a static "management"route back to the DATA VLAN from which I was unsuccessfully attempting to connect - please see below.

route management 10.10.10.0 255.255.255.0 (DATA VLAN) 10.10.50.254 (management gateway).

So I can now connect but is this a normal requirement? Do I need to set a route for all subnets that will need access to the management interface? Will this cause any adverse behaviour for the rest of the routing upon my ASA? I have routes to 10.10.10.0 255.255.255.0 (DATA VLAN) applicable elsewhere within summarised routes, it will not interfere with those will it? I was thinking / hoping it would not as I understand traffic is not routed out of management interface with the "management only" command issued, it will only be received.

Apologies if this is a little confused. I am a little confused! :)

Many thanks to anyone that responds to this.

Matt

Marvin Rhoads · ‎10-25-2017

Until relatively recently the ASA only supported a single routing table. For this reason, many people historically did not use the physical management interface on an ASA.

Unless you were on the same subnet, telling the ASA to use the management interface for return traffic could be challenging as it often cannot distinguish between return traffic that would need to egress the management interface vs. the inside or some other interface.

In ASA 9.5(1) Cisco introduced a separate management routing table. With that you can configure a separate set of routes used only for management. More details can be found here:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/general/asa-95-general-config/route-overview.html#concept_40C0C8DE2C1247319250B9F7706C54A5

https://supportforums.cisco.com/t5/firewalling/asa-5525-x-management-interface-routing/td-p/2812995

View solution in original post

Marvin Rhoads · ‎10-25-2017

Until relatively recently the ASA only supported a single routing table. For this reason, many people historically did not use the physical management interface on an ASA.

Unless you were on the same subnet, telling the ASA to use the management interface for return traffic could be challenging as it often cannot distinguish between return traffic that would need to egress the management interface vs. the inside or some other interface.

In ASA 9.5(1) Cisco introduced a separate management routing table. With that you can configure a separate set of routes used only for management. More details can be found here:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/general/asa-95-general-config/route-overview.html#concept_40C0C8DE2C1247319250B9F7706C54A5

https://supportforums.cisco.com/t5/firewalling/asa-5525-x-management-interface-routing/td-p/2812995

mattipler · ‎11-01-2017

Yes - need to upgrade to 9.5!

Thank you.