Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
976
Views
0
Helpful
3
Replies

ASA transparant with Management Interface

Rizal Ferdiyan
Level 1
Level 1

‎10-19-2011 03:07 AM - edited ‎03-11-2019 02:39 PM

Guys,

I have a problem, i have ASA which is configured in transparant mode. I have configured ASA with ip management. 10.1.1.1 (which required in ASA transparant mode). I also have interface management which is configured whit ip 172.1.1.1. My topologi is like this :

========            =======   1       2 ======          ======

  switch     <---->      ASA         <-->      CORE <----->    LAN

                                              <-->  

========            =======    a      b ======          ======

ASA to CORE have two link. 1-2 (link for data). Node 1 have ip 10.1.1.1, node 2 have ip 10.1.1.2. Link a-b (link for management). Node a have ip 172.1.1.1 node b have ip 172.1.1.2. CORE to LAN have routing dinamis. How to configure ASA, in order to node a & node 1 can be reached from LAN.

I have try to configure :

1. route static. route inteface 1 "LAN network" "node2". I can reach node 1 from LAN. but i can't reach node a.

2. route static  route inteface a "LAN network" "nodeb". I can reach node a from LAN, but i can't reach node 1

Is this possible i can reach node 1 and node a. Node 1 is ip management, node a is interface management.? How to configure ASA, especially route in ASA ?

Best Regards,

Rizal Ferdiyan

Labels:
0 Helpful
3 Replies 3

Kureli Sankar
Cisco Employee
Cisco Employee

‎10-30-2011 06:48 AM

Rizal,

I don't understand the reason to reach both the Managment interface IP as well as the BVI from the LAN. The topology that you included is not clear. If you need to manage the ASA just use the management interface.  BVI IP address is required for the TFW to send arp requests if it doesn't know where the destination IP address is.

You can see sample TFW configs here:

-Kureli

0 Helpful

Rizal Ferdiyan
Level 1
Level 1
In response to Kureli Sankar

‎11-03-2011 09:46 PM

Sankar,

Just like you said, my plan is : I want to manage ASA by use management interface, but i bit confuse how to configure static route in ASA.

my topology :

==============             ===========================               =====================             =====

Switch (10.1.1.3/24) <-------> ASA BVI Int (10.1.1.2/24)                  <--------->  CORE 1st Int (10.1.1.1/24)      <===>  LAN

                                          ASA Management Int (172.20.1.2/24) <--------->  CORE 2nd Int (172.20.1.1/24)

==============             ===========================              ======================           =====

My LAN network is 192.168.0.0/16. From LAN network & CORE Network there is dynamic routing protocol, so from my LAN i can reach CORE 1st int & Core 2nd int. I have 2 interface in ASA (1st is BVI Int, 2nd is Management Int). I want to reach ASA management Int and Switch Network from my LAN

My Question is how to configure static route in ASA ?

1. If i configure like this : route inside 192.168.0.0/16 interface 10.1.1.1, I can reach Swich Network, but i can't reach ASA management Int, cause CORE read to reach ASA network is use CORE 2nd Int, but when traffic in ASA, ASA read to reach 192.168.0.0/16 is use ASA BVI Int. ( like asymetric routing)

2.  if i configure like this : route inside 192.168.0.0/16 interfacae 172.20.1.1, i can reach ASA management Int but i can't reach switch network.

Any Idea

0 Helpful

Maykol Rojas
Cisco Employee
Cisco Employee
In response to Rizal Ferdiyan

‎11-04-2011 11:19 PM

Hi

I seem to be as unclear as Kureli as well . The most important thing to remember here is that the Management interface is set to be an out of band management interface meaning, it should be an special Vlan where only management traffic (ports) of Cisco equipment should be connected.

That being said, I think What you can do is create a Vlan and a SVI on the switch (The one that connects to the LAN, based on your topology it seems to be a l3 switch as well) where this port will be connected with an IP that you can choose (Different from the global IP the ASA has)

Now on the ASA, just create an static route pointing to the switch, this static route (as well as the one on the switches) will be used for when the ASA needs to route management traffic to a subnet that is not the direclty connected one.

The global  IP address that the ASA has (as Kureli stated) is used for ARP. The route will be used for the ASA to route management traffic.

This link can help you out as well, you can read what it says about management interface/traffic

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008089f467.shtml

In case you dont want to create a sepparate Vlan, you can use the same IP (global IP) for management traffic, the only thing you need to do is to point a route to the switch and that will do it.

Pitfall, if I am not mistaken, you will be able only to connect via the inside lan, if someone tries from a network beyond the core switch, that will cause the packet to be sent to the inside switch, then bounce back to the ASA with a source IP that the firewall has and it will drop the packet as it comes with a bad source (IP spoof). This happens on router mode, but I think it follows the same path.

Hope this helps a bit.

Mike

Mike
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card