I have seen some similar questions, but no definite answers, so I'll ask here. I have a CX module connected to a L3 switch on a management subnet. I want to use the managment interface of the ASA (since it is already connected for the CX) and place it also in the management subnet. The problem I have is the ASA sees it's management interface and routes for that traffic (and entire subnet). I need to manage these devices remotely from the outside. I would like the traffic to flow to the L3 switch via the inside interface and then route back to the management interface for the ASA and CX. Anyway to prevent the ASA from routing for the management traffic?
inside int mgmt int
I know I can remove the IP from the ASA's management interface to prevent the ASA from routing that traffic, but was looking to see if I can keep that mgmt address there.
Although just writing this out made me realize that it is the ASA not allowing management of one interface if the traffic originates through another. Still if you know of a way around this, it would be greatly appreciated.
Well one thing that comes to mind is both NATing the source and the destination IP address for the management connections on the L3 switch if possible so that the ASA would have some destination IP address for the remote management connection that is located behind "inside" according to its local routing table and also that the source address with which the connection came back to the ASA would be something that it would be expecting to be visible from "mgmt" interface.
Don't know really if this is possible or if this is feasible solution to this problem.
I do have an ASA5515-X at home with ASA-CX so I could perhaps test this tomorrow as I dont have it setup currently in a way I could test this myself.
I also ran into this problem repeatedly, which is why I refrain from using the management-interface most of the time. It's just cumbersome to implement and makes things more difficult most of the time. I don't see any reason to use the management-interface - except if you really have a separate, dedicated management-only network which is separated from the productive network which is only reachable via jump-hosts or proxies.
If for some reason you still insist on the setup you describe at the top, then there's a workaround to achieve it. You have to use separate routing-domains (=VRFs) for the management-interface and the rest (productive traffic) interfaces. You can easily achieve that on the ASA by creating contexts on the ASA. Enable multiple-mode (context-mode) and put the management interface in the admin-context. Put the productive firewall in another context. You can do this even if you don't have contexts enabled, because even with no special license you have access to two contexts. Keep in mind that not every feature is supported in multiple context mode.
I like to use the solution described above especially for setups where a later use of contexts could eventually happen. Then you have your ASA already in mulitple context mode and don't have to change anything.
I have to admit though, that I have no experience with the ASA-CX yet and I don't know what caveats await you here in connection with this specific question.
Site to Site IPSec VPN with Dynamic IP Endpoint is typically used when we have a branch sites which obtains a dynamic public IP from the Internet ISP. For example an ADSL connection.One important note is that Site-to-Site VPN with Dynamic remote routers P...
On R1, configure a key ring that defines the peer R3:Address: 184.108.40.206Local and remote pre-shared key: cisco R1(config)#crypto ikev2 keyring KRR1(config-ikev2-keyring)# peer R3R1(config-ikev2-keyring-peer)# address 220.127.116.11R1(config-ikev2-keyring-pee...
This document shows how to use the Port Radius NAS PORT Id Attribute in a compound condition to control access with 802.1X.A user jdoe is allowed to access the network only through the physical port FastEthernet 0/1 of the switch and the user jwhite is al...
This document provides a configuration example of Security Assertion Markup Language (SAML) Authentication on FTD managed over FDM. The configuration allows Anyconnect users to establish a VPN session authenticating with a SAML Identity Serv...
DMVPN Dual Hub Dual Cloud Pros and ConsProsNo single point of failureQuick failover if routing protocols are tunedLoad balancing is easyTraffic engineering is easyEasy to work with multiple ISPsConsNeed 2 tunnels per spokeConfiguration is more complicated...