Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
842
Views
5
Helpful
7
Replies

ASA - Configuring The Management Interface

petenixon
Level 3
Level 3

‎05-14-2015 01:20 PM - edited ‎03-11-2019 10:56 PM

Hi all,

I'm having problems configuring the management/inside interface for management access,hoping someone can take a look and spot what it is i'm missing:

Inside & management interface connect to a layer 3 switch in vlan 31 which trunks to the core on 10.31.254.252 vlan 31.

Current config:

gi0/1.31
ip address 10.31.250.10 255.255.0.0
nameif inside-core
vlan 31
security-level 100

m0/0
management-only
no ip address
no nameif
security-level 100

ips module:
10.31.250.12 255.255.0.0 10.31.250.10

remote server:
10.30.181.1 255.255.0.0

access-lists are allowing anything, no nat.

I think the issue relates to the two switchports that the interfaces are connected to, it seems to me that when they are in the same vlan, the module ignores the default gateway and exits through the management interface, when they aren't in the same vlan it just doesn't work.



 

Labels:
0 Helpful
7 Replies 7

Karsten Iwen
VIP
VIP

‎05-14-2015 02:23 PM

The IPS-module and the ASA share a physical management-interface but have different management-settings.

If you want to have your IPS-module in the inside-network of the ASA, then the IP in your example is ok, but the default-gateway of the module has to be the IP of the L3-switch in VLAN 31 (10.31.254.252). Your ASA won't be able to route the traffic back without dirty tricks.

petenixon
Level 3
Level 3
In response to Karsten Iwen

‎05-15-2015 02:02 AM

Thanks for the reply Karsten.

The solution I have in my mind would be to add another inside network and nat the management traffic on to that subnet, which would (i think) solve my problem...

0 Helpful

Karsten Iwen
VIP
VIP
In response to petenixon

‎05-15-2015 02:29 AM

Seems unnecessary complex to use an additional interface and NAT. Why do you think that the regular way won't work?

0 Helpful

petenixon
Level 3
Level 3
In response to Karsten Iwen

‎05-15-2015 03:03 AM

It hasn't previously! :)

I have previously had the default gateway set as the Layer 3 device as you suggested, but I wasn't able to connect to the ips module from the remote server.

I've convinced myself that the problem lies with the ASA config, but maybe I should spend more time looking at either the server or other areas of the network and keep the config as above (changing the default gateway of the IPS)?

0 Helpful

Karsten Iwen
VIP
VIP
In response to petenixon

‎05-15-2015 04:17 AM

Did you set the ACL on the IPS-module to allow the remote-server to connect?

0 Helpful

petenixon
Level 3
Level 3
In response to Karsten Iwen

‎05-15-2015 06:10 AM

Hi Karsten,

Thanks again for coming back to me, it is very much appreciated.

The IPS module is a sourcefire module and doesn't have any ACL config (as far as I can tell).

The full config I am working with at the moment is:

interface GigabitEthernet0/1.31
 vlan 31
 nameif inside
 security-level 100
 ip address 10.31.250.10 255.255.0.0
!
interface Management0/0
 management-only
 no nameif
 no security-level
 no ip address
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
!
object network SFR2
 host 10.31.250.12
object network SFR-SERVER
 host 10.30.181.1
object service SFR-MGMT
 service tcp destination eq 8305
object service SFR-HI-PORTS
 service tcp source eq 8305 destination range 1 65535
!
object-group service SFR-HIGH-PORTS
 service-object object SFR-HI-PORTS
access-list global_access extended permit ip any any
access-list inside-core_access_in extended permit ip object SFR2 object SFR-SERVER
access-list inside-core_access_in extended permit ip object SFR-SERVER object SFR2
access-list inside-core_access_in extended permit udp object SFR2 any eq ntp
access-list inside-core_access_in extended permit udp any object SFR2 eq ntp
access-list inside-core_access_in extended permit object-group SFR-HIGH-PORTS object SFR2 object SFR-SERVER
access-list global_access_1 extended permit ip object SFR2 any
!
access-group inside-core_access_in in interface inside
access-group global_access_1 global
!
http server enable
http 0.0.0.0 0.0.0.0 inside
sysopt connection timewait
!
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map sfr-global-class
 match any
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect rsh
  inspect rtsp
  inspect esmtp
  inspect sqlnet
  inspect skinny
  inspect sunrpc
  inspect xdmcp
  inspect sip
  inspect netbios
  inspect tftp
  inspect ip-options
 class sfr-global-class
  sfr fail-open

With the config above, I can ping the gateway, the remote server and resolve the server FQDN, but can't add the module to the server.

With that in mind, and logically speaking, this must point to a problem with either the server or elsewhere in the network?

0 Helpful

petenixon
Level 3
Level 3
In response to petenixon

‎06-01-2015 08:39 AM

I eventually found what was causing the problem. The sourcefire module was dropping traffic as it entered the ASA....

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card