Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1115
Views
0
Helpful
3
Replies

ASA5520 - Management0/0 Telnet/SSH/Ping Access

Robert Ho
Level 1
Level 1

‎10-25-2011 04:21 PM - edited ‎03-11-2019 02:42 PM

hey all, hope this is an easy one.

- how can i setup the management interface so that we can ping to the mgmt interface from a subnet that is on a different subnet than the Management0/0 interface (source ip would be 192.168.100.0/24 which may conflict with the inside interface)

- i am able to telnet/ssh from the 192.168.100.0/24 subnet connected to a router behind the mgmt interface

- i am not able to ping the mgmt interface from the 192.168.100.0/24 subnet connected to a router behind the mgmt interface

- is a security level required on the mgmt interface? it does not  work unless we put one. if so, what are you guys setting it to?

interface Ethernet0/0.101

description Outside

vlan 101

nameif outside

security-level 0

ip address 101.1.1.100 255.255.255.0

!

interface Ethernet0/1.102

description Inside Cat3750-VM G1/0/24 (PRI) G2/0/24 (STB)

vlan 102

nameif inside

security-level 100

ip address 192.168.100.100 255.255.252.0

!

interface Management0/0

nameif mgmt

security-level 90

ip address 192.168.253.100 255.255.255.0

management-only

!

ssh 192.168.100.0 255.255.255.0 mgmt

telnet 192.168.100.0 255.255.255.0 mgmt

I try to add a static route but get an error:

ASA5520(config)# route mgmt 192.168.0.0 255.255.252.0 192.168.253.1

ERROR: Cannot add route, connected route exists

Labels:
0 Helpful
3 Replies 3

Julio Carvajal
VIP Alumni
VIP Alumni

‎10-25-2011 05:54 PM

Hello Robert,

by default the Managment interface of an ASA is going to be used just for managment traffic only.

Now in order to be able to use it as any other interface you will need to use the following command:

     -     Interface managment 0/0

     -     no managment-only

And just to let you know it is imposible to ping a distant interface as an example from a inside subnet to the outside interface ip .This as security measure.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Robert Ho
Level 1
Level 1
In response to Julio Carvajal

‎10-26-2011 12:29 PM

yes, our intent is to use it for mgmt only (telnet, ssh, ping, logging, snmp).

but, we are not able to reach it if the source ip is on another subnet one hop from the mgmt interface

for example

asa --> mgmt0/0 --> router --> source_ip

is this possible?

0 Helpful

cadet alain
VIP Alumni
VIP Alumni
In response to Robert Ho

‎10-26-2011 02:38 PM

Hi,

you can use this command:

hostname(config)# management access management_interface

Regards.

Alain.

Don't forget to rate helpful posts.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card