Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
730
Views
0
Helpful
4
Replies

ASA Management 0/0 IP Address

Go to solution
johnlloyd_13
Level 9
Level 9

‎01-05-2015 07:41 AM - edited ‎03-11-2019 10:17 PM

hi all,

just a quick question, what's the best practice in assigning IP address on ASA's management interface? or does it have a benefit of using one?

we have a /28 public IP and was thinking i could use one on it so that we could HTTPS over the internet (or is this safe?). or maybe not waste a public IP since we have a dedicated OBM box to dial in?

or do i assign private IP address which would be on the same subnet with the 'inside' interface IP address?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to johnlloyd_13

‎01-05-2015 02:34 PM

I very rarely allow an ASA to be managed from its public IP, no matter what physical interface.

When I do, I restrict it to a single IP address (or very small set of them) that usually corresponds to the primary network administrator's home Internet address.

If there's not a service module involved, in my experience (consisting of on the order of >500 ASAs configured in multiple customers as well as my own corporate networks) 90% or more of the time we don't use the physical management interface.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎01-05-2015 08:12 AM

Unless you have a true out of band management network or a service module (IPS, CX or SFR) managed via the the management interface, it's usually problematic to use the management interface since the ASA does not have the concept or a separate management VRF. Thus even if you have a dedicated address to assign it, return traffic "wants" to flow out one of the production interfaces per the global routing table.

Service modules have their own default gateway etc. and generally require one use the management interface.

The majority of installations I see just use one of the production interfaces (usually inside) for management, sometimes restricted to certain subnets.

0 Helpful

Go to solution
johnlloyd_13
Level 9
Level 9
In response to Marvin Rhoads

‎01-05-2015 02:25 PM

hi marvin,

was also thinking the same to just let run an 'inside' to manage the ASA.

do you personally configure an IP on your ASA's management interface? is it a private or public IP?

do you get any benefit from it?

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to johnlloyd_13

‎01-05-2015 02:34 PM

I very rarely allow an ASA to be managed from its public IP, no matter what physical interface.

When I do, I restrict it to a single IP address (or very small set of them) that usually corresponds to the primary network administrator's home Internet address.

If there's not a service module involved, in my experience (consisting of on the order of >500 ASAs configured in multiple customers as well as my own corporate networks) 90% or more of the time we don't use the physical management interface.

0 Helpful

Go to solution
johnlloyd_13
Level 9
Level 9
In response to Marvin Rhoads

‎01-05-2015 04:06 PM

Hi Marvin,

 

Thanks! Will consider that on my new ASA builds this year. I don't want to waste any private or public IP and even extra switch port just for management.

Any problem or security vulnerability you've encountered before that led you not to use management interface on an ASA?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card