Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4089
Views
5
Helpful
5
Replies

ASA Management Interface Best Practives

Go to solution
ServerCaseUK
Level 1
Level 1

‎06-14-2018 01:49 PM - edited ‎02-21-2020 07:53 AM

Hello, I wonder if you could help. I am in the process of upgrading from an ASA 5505 to a 5515-X.

 

On the 5505 I had an IP restriction for the HTTPS/ASDM setup on the outside interface, worked great. Of course, these firewalls didn't come with a dedicated management interface.

 

On the new 5515-X the default is 192.168.1.1 on the dedicated management interface. The ASA will be going into a datacentre, so I would still ideally need to have HTTPS/ASDM access through its outside interface, IP restricted of course.

 

What is the best practice with setting this up please? I know some CLI, but I prefer to use ASDM.

 

There will be a site-to-site VPN I will be setting up not long after the deployment of the firewall, so I will probably use VPN access only for the HTTPS/ASDM, but for the moment I will need to open it on the outside interface, IP restricted.

 

 

Thanks!

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rob Ingram
VIP
VIP
In response to ServerCaseUK

‎06-14-2018 02:18 PM

Hi,
You can just use the commands provided above, modifying the subnet and specifying the correct inside interface name. You don't specifically need to use a dedicated management interface.

HTH

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Rob Ingram
VIP
VIP

‎06-14-2018 02:05 PM

Hi, Best practice would to not allow management access from outside, but if you need to, then I've included a copy of my lab configuration below.

 

domain-name lab.net
username admin password PASSWORD privilege 15
http server enable
aaa authentication http console LOCAL
http 192.168.11.0 0.0.0.255 INSIDE
crypto key generate rsa modulus 2048
aaa authentication ssh console LOCAL
ssh version 2
ssh 192.168.10.0 0.0.0.255 INSIDE
ssh 192.168.11.0 0.0.0.255 INSIDE
ssh timeout 30

 

Just replace the IP address range with your subnet you will permit access from and replace inside with the name of your outside interface.

 

Another BP would be to actually use TACACS+ or RADIUS for management to control user access.

 

HTH

0 Helpful

Go to solution
ServerCaseUK
Level 1
Level 1
In response to Rob Ingram

‎06-14-2018 02:15 PM

Thanks for the reply.

 

I don't mind installing ASDM on one of the servers inside the firewall - I can just RDP in (or VPN once I setup the site-to-site). Is there a way through ASDM to set the Inside interface as the management interface with HTTPS running for ASDM access?

 

 

Thanks!

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to ServerCaseUK

‎06-14-2018 02:18 PM

Hi,
You can just use the commands provided above, modifying the subnet and specifying the correct inside interface name. You don't specifically need to use a dedicated management interface.

HTH
0 Helpful

Go to solution
ServerCaseUK
Level 1
Level 1
In response to Rob Ingram

‎06-14-2018 02:38 PM

Thanks - I will give that a try.

0 Helpful

Go to solution
Rob Ingram
VIP
VIP
In response to ServerCaseUK

‎06-14-2018 02:53 PM - edited ‎06-14-2018 02:53 PM

When you do come to manage the ASA over the VPN, you will need to enter the command "management access <inside interface name>" this allows the ability to manage the ASA on an interface other than the one from which you entered the ASA.

HTH

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card