Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1051
Views
0
Helpful
6
Replies

ASA - Management Network and Asymmetric Routing?

Eric Snijders
Level 1
Level 1

‎11-13-2017 01:53 AM - edited ‎02-21-2020 06:44 AM

Hi guys,

 

Consider the following topology:b0BOKeP

Let's say PC1 is my "management" device or network.

 

- Both ASA's can reach eachother over the 2 different VLANS.

- The ASA's each "represent" 1 datacenter.

 

Now there is the following issue if i want to manage ASA-1 (ICMP/SSH/HTTPS):

 

If i create a static route on ASA-1 to the 10.0.0.0/24 network on it's VLAN50 interface:

- I can manage the VLAN50 interface on ASA-1 from PC1

- I can not manage the VLAN100 interface on ASA-1 from PC1 cause traffic is received on it's VLAN100 interface but send back out of it's VLAN50 interface which is not possible with ASA's (right?)

 

Vice versa if i create the static route on it's VLAN100 interface.

 

Now i'm in a environment where i can't easily edit all the routes since it's a production network. Basically i'm looking for the right / a good way to manage devices on the "far" side (including the ASA itself). How should i handle this when you're working with subinterfaces on a ASA?

Labels:
0 Helpful
6 Replies 6

Bogdan Nita
VIP Alumni
VIP Alumni

‎11-13-2017 05:08 AM

I would try to separate networks for clients/servers and interconnects between network devices.

 

Besides the problem of accessing the ASA for management, you will have problems with accessibility of the host in the 50 and 100 network.

Let's consider the following example:

- you are trying to reach a host in the 192.168.50.0/24 network from PC1

- the host has ASA-1 as default gateway

PC1 will not be able to communicate with the host because the initial packet will reach the host via ASA-2, but th return packet will be sent via ASA-1, ASA-1 not having an entry for the initial packet will drop the response packet.

The above default behavior can be changed configuring TCP State Bypass:

https://www.cisco.com/c/en/us/support/docs/security/asa-5500-x-series-next-generation-firewalls/118995-configure-asa-00.html

 

I would have only one ASA as default gateway for a network.

If redundancy is need you can set up a HA or a cluster.

 

If you have multiple L3 interconnect links, that should not be a problem, it would probably be a good idea to use dynamic routing protocol. For ASA management you can use an inside interface then.

0 Helpful

Eric Snijders
Level 1
Level 1
In response to Bogdan Nita

‎11-13-2017 05:22 AM

Hi Bogdan,

 

Thanks for the reply and the provided information. What you are saying is basically the construction i'm dealing with:

- 2 Datacenters
- Both Datacenter with ASA's (2 in each datacenter, 1 dedicated for management traffic and 1 for production traffic)
- Both Datacenters are interconnected with Layer 3 switches (dedicated interconnectivity VLAN between the DC's)

The problem so far it seems is that we have 1 "management-entry" (AnyConnect VPN, or "PC1" in this topology) and we would also like to manage the other datacenter.

But from what i have learned is that if you want to manage a ASA, you can't enter that ASA on 1 (sub)interface and request another (sub)interface on that same ASA. So what would be the best approach to create 1 "management-network" from which we can manage all devices in both DC's from the AnyConnect network (PC1)?

0 Helpful

Bogdan Nita
VIP Alumni
VIP Alumni
In response to Eric Snijders

‎11-13-2017 07:18 AM

 

Sorry I think I misunderstood a little bit your question.

In the topology you posted the only interface on ASA1 that PC1 can use to connect is the on that has the correct route back to ASA2.

You could try TCP State Bypass, never configured it for traffic directed to the ASA, but it could work.

 

0 Helpful

Eric Snijders
Level 1
Level 1
In response to Bogdan Nita

‎11-14-2017 02:55 AM

Hi Bogdan,

 

As far as i know i tried everything:

- Configured TCP Bypass

- Allowed ICMP for "any" on all the interfaces

- Configured ACL's with "permit ip any any" on all the interfaces

- Configured same-security-level traffic for inter and intra

- I tried playing with the "management-only" and "management-access" commands

 

The approach is pretty simple, but there is probably a design flaw or something going on. If both DC's are connected and traffic between them occurs on a dedicated VLAN, is there seriously no way i can manage the ASA in the other DC on a (sub)interface that's different than the "inter-DC-VLAN"?

0 Helpful

Bogdan Nita
VIP Alumni
VIP Alumni
In response to Eric Snijders

‎11-15-2017 05:39 AM

Hi Eric,

In order to get to the bottom of this I think we should simplify the problem as much as we can:
Can the outside interface of the ASA be reached from a host connected on the inside interface ?
The answer is unfortunately no, and there is nothing that can be done about it.
The best answer that can be found to explain this behavior is that this is the way the ASA was designed.
Exception:
- if your VPN tunnel terminates on one interface you can access a different interface using management-access and NAT with route-lookup

0 Helpful

Flavio Miranda
VIP
VIP

‎11-13-2017 05:11 AM

Hi @Eric Snijders

Topology is not available. If I understood it right, you need to play with routing but I´d like to see your topology first.

 

 

 

 

-If I helped you somehow, please, rate it as useful.-

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card