cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4089
Views
5
Helpful
5
Replies

ASA Management Interface Best Practives

ServerCaseUK
Level 1
Level 1

Hello, I wonder if you could help. I am in the process of upgrading from an ASA 5505 to a 5515-X.

 

On the 5505 I had an IP restriction for the HTTPS/ASDM setup on the outside interface, worked great. Of course, these firewalls didn't come with a dedicated management interface.

 

On the new 5515-X the default is 192.168.1.1 on the dedicated management interface. The ASA will be going into a datacentre, so I would still ideally need to have HTTPS/ASDM access through its outside interface, IP restricted of course.

 

What is the best practice with setting this up please? I know some CLI, but I prefer to use ASDM.

 

There will be a site-to-site VPN I will be setting up not long after the deployment of the firewall, so I will probably use VPN access only for the HTTPS/ASDM, but for the moment I will need to open it on the outside interface, IP restricted.

 

 

Thanks!

1 Accepted Solution

Accepted Solutions

Hi,
You can just use the commands provided above, modifying the subnet and specifying the correct inside interface name. You don't specifically need to use a dedicated management interface.

HTH

View solution in original post

5 Replies 5

Hi, Best practice would to not allow management access from outside, but if you need to, then I've included a copy of my lab configuration below.

 

domain-name lab.net
username admin password PASSWORD privilege 15
http server enable
aaa authentication http console LOCAL
http 192.168.11.0 0.0.0.255 INSIDE
crypto key generate rsa modulus 2048
aaa authentication ssh console LOCAL
ssh version 2
ssh 192.168.10.0 0.0.0.255 INSIDE
ssh 192.168.11.0 0.0.0.255 INSIDE
ssh timeout 30

 

Just replace the IP address range with your subnet you will permit access from and replace inside with the name of your outside interface.

 

Another BP would be to actually use TACACS+ or RADIUS for management to control user access.

 

HTH

Thanks for the reply.

 

I don't mind installing ASDM on one of the servers inside the firewall - I can just RDP in (or VPN once I setup the site-to-site). Is there a way through ASDM to set the Inside interface as the management interface with HTTPS running for ASDM access?

 

 

Thanks!

Hi,
You can just use the commands provided above, modifying the subnet and specifying the correct inside interface name. You don't specifically need to use a dedicated management interface.

HTH

Thanks - I will give that a try.

When you do come to manage the ASA over the VPN, you will need to enter the command "management access <inside interface name>" this allows the ability to manage the ASA on an interface other than the one from which you entered the ASA.

HTH

Review Cisco Networking for a $25 gift card