Showing results for 
Search instead for 
Did you mean: 


ASA-X Management Interface Routing

I have seen some similar questions, but no definite answers, so I'll ask here. I have a CX module connected to a L3 switch on a management subnet. I want to use the managment interface of the ASA (since it is already connected for the CX) and place it also in the management subnet. The problem I have is the ASA sees it's management interface and routes for that traffic (and entire subnet). I need to manage these devices remotely from the outside. I would like the traffic to flow to the L3 switch via the inside interface and then route back to the management interface for the ASA and CX. Anyway to prevent the ASA from routing for the management traffic?

Crude drawing:





          outside int.




     |                    |

     |                    |

inside int          mgmt int

     |                    |

     /30               L2

     |                    |

           L3 switch

I know I can remove the IP from the ASA's management interface to prevent the ASA from routing that traffic, but was looking to see if I can keep that mgmt address there.

Although just writing this out made me realize that it is the ASA not allowing management of one interface if the traffic originates through another. Still if you know of a way around this, it would be greatly appreciated.

5512-X 5525-X  ASA_9.1.2

Jouni Forss


Well one thing that comes to mind is both NATing the source and the destination IP address for the management connections on the L3 switch if possible so that the ASA would have some destination IP address for the remote management connection that is located behind "inside" according to its local routing table and also that the source address with which the connection came back to the ASA would be something that it would be expecting to be visible from "mgmt" interface.

Don't know really if this is possible or if this is feasible solution to this problem.

I do have an ASA5515-X at home with ASA-CX so I could perhaps test this tomorrow as I dont have it setup currently in a way I could test this myself.

- Jouni

Florian Pressler

Hello wyley.

I also ran into this problem repeatedly, which is why I refrain from using the management-interface most of the time. It's just cumbersome to implement and makes things more difficult most of the time. I don't see any reason to use the management-interface - except if you really have a separate, dedicated management-only network which is separated from the productive network which is only reachable via jump-hosts or proxies.

If for some reason you still insist on the setup you describe at the top, then there's a workaround to achieve it. You have to use separate routing-domains (=VRFs) for the management-interface and the rest (productive traffic) interfaces. You can easily achieve that on the ASA by creating contexts on the ASA. Enable multiple-mode (context-mode) and put the management interface in the admin-context. Put the productive firewall in another context. You can do this even if you don't have contexts enabled, because even with no special license you have access to two contexts. Keep in mind that not every feature is supported in multiple context mode.

I like to use the solution described above especially for setups where a later use of contexts could eventually happen. Then you have your ASA already in mulitple context mode and don't have to change anything.

I have to admit though, that I have no experience with the ASA-CX yet and I don't know what caveats await you here in connection with this specific question.