Re: ASA Management Port Best Practices

joemarr_brodart · ‎09-27-2006

What is the recommended configuration for the management port on an ASA when in single contect mode and OSPF enabled.

Im in the process of migrating from a 525 to 5520. Im not sure how to handle the routing for accessing the management interface. I use OSPF to obtain my inside network routing, and I wonder how accessing the management port from another network will work.

drolemc · ‎10-03-2006

What version of software are you using in the ASA box ?

joemarr_brodart · ‎10-03-2006

We are using 7.2(1)

andrew.burns · ‎10-04-2006

Hi,

You just need to treat it like any other interface. Say you connect from network A - assuming it's not directly connected to the ASA then you'll need a static route to network A from the ASA (pointing to whatever the next hop on the management lan is).

In our environment we can't use management-only interfaces because the management stations need internet access as well, which happens to pass through the ASA - so we just manage using the inside interface IP.

They make good failover interfaces tho' ;-)

HTH

Andrew.

brian.oflynn · ‎11-29-2006

Hi Andrew, I am just about to setup a new ASA 5520 and was wondering that very thing you mentioned, using the management interface for failover. Are there any problems with doing this?

Thank you

Brian

andrew.burns · ‎11-29-2006

Hi Brian,

We did very thorough lab testing with this and the management interfaces performed just like normal ones when configured "no management-only". Since implementation we've had a couple of real failover situations and it's all worked perfectly.

HTH

Andrew.

brian.oflynn · ‎11-30-2006

Thank you Andrew for the info.