01-05-2015 07:41 AM - edited 03-11-2019 10:17 PM
hi all,
just a quick question, what's the best practice in assigning IP address on ASA's management interface? or does it have a benefit of using one?
we have a /28 public IP and was thinking i could use one on it so that we could HTTPS over the internet (or is this safe?). or maybe not waste a public IP since we have a dedicated OBM box to dial in?
or do i assign private IP address which would be on the same subnet with the 'inside' interface IP address?
Solved! Go to Solution.
01-05-2015 02:34 PM
I very rarely allow an ASA to be managed from its public IP, no matter what physical interface.
When I do, I restrict it to a single IP address (or very small set of them) that usually corresponds to the primary network administrator's home Internet address.
If there's not a service module involved, in my experience (consisting of on the order of >500 ASAs configured in multiple customers as well as my own corporate networks) 90% or more of the time we don't use the physical management interface.
01-05-2015 08:12 AM
Unless you have a true out of band management network or a service module (IPS, CX or SFR) managed via the the management interface, it's usually problematic to use the management interface since the ASA does not have the concept or a separate management VRF. Thus even if you have a dedicated address to assign it, return traffic "wants" to flow out one of the production interfaces per the global routing table.
Service modules have their own default gateway etc. and generally require one use the management interface.
The majority of installations I see just use one of the production interfaces (usually inside) for management, sometimes restricted to certain subnets.
01-05-2015 02:25 PM
hi marvin,
was also thinking the same to just let run an 'inside' to manage the ASA.
do you personally configure an IP on your ASA's management interface? is it a private or public IP?
do you get any benefit from it?
01-05-2015 02:34 PM
I very rarely allow an ASA to be managed from its public IP, no matter what physical interface.
When I do, I restrict it to a single IP address (or very small set of them) that usually corresponds to the primary network administrator's home Internet address.
If there's not a service module involved, in my experience (consisting of on the order of >500 ASAs configured in multiple customers as well as my own corporate networks) 90% or more of the time we don't use the physical management interface.
01-05-2015 04:06 PM
Hi Marvin,
Thanks! Will consider that on my new ASA builds this year. I don't want to waste any private or public IP and even extra switch port just for management.
Any problem or security vulnerability you've encountered before that led you not to use management interface on an ASA?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide