Hi Marvin,

Thanks for your reply,

That sounds like the way I have it is fine then, I've noticed that some people here have the snmp set up for the Inside interface but i think i'll leave mine as it is.... seems to working fine.

Thanks again.

hi marvin,

this post is really helpful. there's quite a confusion of the MGMT interface for its OOB management.

my questions are:

1) is AAA/TACACS+ included for MGMT interface traffic? i need to know if i should route the TACACS+ server to hop the 'management' or 'inside' interface.

2) is it best practice/practical to remove 'management-only' on the management interface? i read somewhere (i think you posted it) that on new 9.x code, routing is enabled on ASA 5500-x but i have a mix of old 5500 ASA, so is this also applicable?

3) could you please confirm if these are the 'management' basic routes i should have on my next ASA deployments:

route management <SSH JUMP SERVERS>

route management <PC SUBNETS W/ ASDM>

route management <SYSLOG/NMS-IP>

johnlloyd_13  ,

There's not one right or wrong way. A lot depends on your overall network architecture and the security policies you are enforcing via configuration of your ASA.

If you have a truly separate management network then you can indeed set the routes exclusively out the management interface - on both old code and new.

The issue with making management routes for some servers and services is that those same things may need to route traffic out the ASA for their own non-ASA-related purposes. Say you want to browse the Internet from one of your ASDM clients or updates packages on your jump box. They route eventually outbound via the ASA inside interface en route to the Internet. The return traffic arrives and sees a more specific route statically defined on the management interface and thinks it should use that ...but it's not allowed (on 8.6+ anyway, and on older code with "management-only" set). So that breaks things.

The newer code has two routing tables to address that issue. Traffic to and from the management interface can use the management routing table. All other traffic (including non-ASA-management traffic from your management stations) can use the global routing table.

I am trying to setup my 5506x running 9.6.1 and can't seem to figure out how to use the management-only routing table.  My inside and management interfaces are on separate subnets.  I can ping the management interface from it's subnet but can not route to it from a different subnet.  How to I donfigure the manament network to route subnets besides its own?

Thanks

jayyoung71  ,

When you create the route with the management keyword under 9.5+ the route wil be created as management-only.

Once you have set such route(s), you can verify with "show route management-only"

Reference the release notes:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa95/release/notes/asarn95.html

as follows:

hi,

thanks for further clarifying!

can you confirm AAA/TACACS+ traffic goes via the 'management' interface?

also do you prefer removing the 'management-only' under mgmt interface?

johnlloyd_13  ,

The AAA/TACACS+ traffic exits the ASA according to what the ASA's routing table tells it. There is no equivalent concept to the IOS "ip tacacs source interface" command.

The management-only command for the management interface is unnecessary under newer ASA code (8.6+). Under the older code, it can be used to prevent data plane traffic from using the management interface. Personally I've never found it necessary but your use cases may differ.

thanks! i'll probably route ACS/TACACS+ on the 'inside' and leave SSH/ASDM routed on 'management'

will also remove 'management-only' so it'll be consistent on all 5500 and 5500-x ASA.

i would need to lab this up in our environment. thanks again! +5