cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
13777
Views
0
Helpful
9
Replies

ASA Firewall MGMT interface Management Advice Needed

QUARK TARO
Level 1
Level 1

I have SETUP ASA 5525-X firewalls in a HA pair. It's inside interface (Gi0/0) is terminated on L3 switch (vlan30), firewall will use L3 switch to reach all the inside segments.

On the inside network we have vlan's for DATA (vlan10), MGMT(vlan20) and INSIDE(vlan30).

The firewall MGMT interface (Gi0/7 which is used for management only) is also terminated in  the MGMT vlan on L2 switch.

Now I have my server in the DATA vlan which is unable to ping the MGMT interface of the firewalls.

This is not an ACL issue, my guess is that, the ping request from server to MGMT interface will reach the MGMT interface but the reply will return thru inside interface of the firewall. How can I resolve this issue?

Please refer the attached network diagram for more info.

3 Accepted Solutions

Accepted Solutions

The ASA needs to have v9.5(1) to have a separate routing-tables for the Management-only interface:

http://www.cisco.com/c/en/us/td/docs/security/asa/roadmap/asa_new_features.html#pgfId-168355

View solution in original post

Hi,

Both of your servers would be able to communicate with your DMZ servers.

Case 1 : Return traffic would not be routed through Inside Interface as the Mgmt interface is configured with 192.168.1.x subnet. ASA now would compare the Connection created and the route on ASA. As interface inside of connection doesn't match with route management, ASA would drop the connection. So they would not be able to communicate.

However you realy wish to make it work(it is a asymetric routing scenario) then you could try implementing TCP statebypass(usually not recommanded).

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/conns_tcpstatebypass.html

Case 2: Your L3 switch would perform Intervlan routing for your management subnet and 172.16.x.x subnet. I believe this 172 subnet is not configured on ASA interfaces. You need to have a route on ASA for subnet 172.16.x.x subnet through management interface for return traffic as gateway pointing towards L3 switch 192.168.1.3 IP(then again check that the route is not present through inside interface also or else again it would create asymetric routing).

You do not need to explicitly configure a route for directly connected subnet. ASA itself identifies that as connected route.

Hope it helps.

Regards,

Akshay Rastogi

View solution in original post

In that case you need to restrict the subnet which could have the management interface access.  Also you need to restrict the subnet to enter or connect to asa through only one interface(or else it would create asymetric routing). In your case you are connecting to two different interfaces(management and inside) from the same subnet so ASA gets confused everytime ASA has to send a reply packets.

Therefore, Connect management interface through subnet which is not allowed to go out through Inside interface. Example configure 192.168.1.x to connect to management interface and configure another subnet 192.168.3.x for your server communication to dmz server. Also ASA 172.16 subnet route is configured on ASA for Inside, then do not allow it to access management.

There is one more way i could think of. configure NAT on Switch for 192.168.1.x natted to Inside vlan ip when it try to get out through inside interface so that ASA would think that it received a packet with source ip of inside subnet and  sends the reply packet to switch through inside interface and switch would untranslate it back to 192.168.1.x ip. With this you would also be able to connect to Management through the same subnet(in this, switch would not perform translation when going to management interface). I have never tried this, but i guess it should work.

Hope it helps.

Regards,

Akshay Rastogi

Remember to rate the helpful posts.

View solution in original post

9 Replies 9

The ASA needs to have v9.5(1) to have a separate routing-tables for the Management-only interface:

http://www.cisco.com/c/en/us/td/docs/security/asa/roadmap/asa_new_features.html#pgfId-168355

Thank you and apologies for multiple posts on the same subject. There is something wrong with the forum site, I could not see the posts after posting, they appear after several hours.

Just to clarify more,

Please refer the attached updated network diagram in the post, as you can see there are two servers pointing to L3 switch as gateway.

I have defined the mgmt interfact gi0/7 as management only and also static route on the firewall for local segment.

With this setup can both of my servers be able to communicate with the DMZ server?

Case 1:
Server 192.168.1.10 trying to connect to DMZ server 100.100.100.10
Traffic enters Firewall thru inside interface of ASA and then to DMZ server.
Now how does the reply from DMZ server to 192.168.1.10 flow? Can it be routed thru inside interface of ASA?

Case 2:
Server 172.16.0.10 trying to connect to ASA mgmt interface 192.168.1.1
Traffic enters L3 gateway 172.16.0.3 --> Then to 192.168.1.1 via 192.168.1.3
Now how does the reply from ASA to server flow?
Can I define a route to directly connected segment on ASA?

Do I need to add static route onthe  firewall for MGMT segment or any exception for antispoof rules on the firewall?

Hi,

Both of your servers would be able to communicate with your DMZ servers.

Case 1 : Return traffic would not be routed through Inside Interface as the Mgmt interface is configured with 192.168.1.x subnet. ASA now would compare the Connection created and the route on ASA. As interface inside of connection doesn't match with route management, ASA would drop the connection. So they would not be able to communicate.

However you realy wish to make it work(it is a asymetric routing scenario) then you could try implementing TCP statebypass(usually not recommanded).

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/conns_tcpstatebypass.html

Case 2: Your L3 switch would perform Intervlan routing for your management subnet and 172.16.x.x subnet. I believe this 172 subnet is not configured on ASA interfaces. You need to have a route on ASA for subnet 172.16.x.x subnet through management interface for return traffic as gateway pointing towards L3 switch 192.168.1.3 IP(then again check that the route is not present through inside interface also or else again it would create asymetric routing).

You do not need to explicitly configure a route for directly connected subnet. ASA itself identifies that as connected route.

Hope it helps.

Regards,

Akshay Rastogi

That means I am having problems with this design. How can I sort this out? My goal is to have a dedicated MGMT interface which is defined as management only and inside interface for all other traffic. MGMT interface should not be used for data traffic. 

Also in case2: my gateway on firewall for 172.16.0.x subnet pointed to inside vlan on L3.

Please advise on the options I have

In that case you need to restrict the subnet which could have the management interface access.  Also you need to restrict the subnet to enter or connect to asa through only one interface(or else it would create asymetric routing). In your case you are connecting to two different interfaces(management and inside) from the same subnet so ASA gets confused everytime ASA has to send a reply packets.

Therefore, Connect management interface through subnet which is not allowed to go out through Inside interface. Example configure 192.168.1.x to connect to management interface and configure another subnet 192.168.3.x for your server communication to dmz server. Also ASA 172.16 subnet route is configured on ASA for Inside, then do not allow it to access management.

There is one more way i could think of. configure NAT on Switch for 192.168.1.x natted to Inside vlan ip when it try to get out through inside interface so that ASA would think that it received a packet with source ip of inside subnet and  sends the reply packet to switch through inside interface and switch would untranslate it back to 192.168.1.x ip. With this you would also be able to connect to Management through the same subnet(in this, switch would not perform translation when going to management interface). I have never tried this, but i guess it should work.

Hope it helps.

Regards,

Akshay Rastogi

Remember to rate the helpful posts.

Thank you for the inputs, to be precise my firewall is 5525-x with firepower ips.

So as a workaround I will keep my firesight 192.168.1.10 in MGMT vlan and will use it only for managing IPS. I will enable firewall Management on inside interface of the firewall.

I will use the server 172.16.0.10 to manage the firewall which is also required to connect all the segments, including DMZ.

Hi,

This is actually what customer usually configures. The one you have mentioned is the most used scenario.

Sure, you could safely implement this.

Regards,

Akshay Rastogi

Just to be clear, I will update Firesight IPS signatures manually, it cannot communicate outside without NAT on L3.

I beleive SFR module (inside ASA) does not need to communicate anywhere else except the Firesight appliance. I am assuming Management segment remains fully isolated.

Hi,

You are right, it would only communicate with FMC and FMC would take care of the communication with Outside network. Therefore manamgement segment would remain isolated.

Regards,

Akshay Rastogi

Review Cisco Networking for a $25 gift card