Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1585
Views
1
Helpful
9
Replies

Can't access management IP on Cisco ASA

Go to solution
Mikee Hendricks
Level 1
Level 1

‎06-25-2023 03:30 PM

Hi,

I can't ping my ASA's management ip 10.1.50.5 from inside network, only 10.0.28.1. I already added the management ip on the route. Please take a look at this topology and config to see where iam lacking. Thanks.

asa.png 

ASA Version 9.12(2)
!
hostname ciscoasa
enable password ***** pbkdf2
!
license smart
feature tier standard
throughput level 1G
names
no mac-address auto

!
interface GigabitEthernet0/0
nameif OUTSIDE
security-level 0
ip address 172.18.200.167 255.255.255.0
!
interface GigabitEthernet0/1
nameif INSIDE
security-level 100
ip address 10.0.28.1 255.255.255.0
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif MGMT
security-level 100
ip address 10.1.50.5 255.255.255.128
!
ftp mode passive
dns domain-lookup OUTSIDE
dns server-group DNS
name-server 1.1.1.1
name-server 1.0.0.1
dns server-group DefaultDNS
name-server 1.1.1.1
name-server 1.0.0.1
object network obj_any
subnet 0.0.0.0 0.0.0.0
object network outside
subnet 172.18.200.0 255.255.255.0
object network inside
subnet 10.0.28.0 255.255.255.0
object network LAN
subnet 192.168.0.0 255.255.0.0
object-group network OUTSIDE
network-object host 192.168.11.22
access-list OUT-TO-IN extended permit icmp any any
access-list OUT-TO-IN extended permit tcp any any
access-list OUT-TO-IN extended permit udp any any
pager lines 23
logging enable
logging asdm informational
mtu OUTSIDE 1500
mtu INSIDE 1500
mtu MGMT 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 8192
!
nat (INSIDE,OUTSIDE) after-auto source dynamic any interface
access-group OUT-TO-IN in interface OUTSIDE
!
route-map PBR permit 5
set ip next-hop verify-availability 172.18.200.1 1 track 1

!
route-map PBR permit 50

!
route OUTSIDE 0.0.0.0 0.0.0.0 172.18.200.1 1
route INSIDE 192.168.10.0 255.255.255.0 10.0.28.2 1
route MGMT 192.168.10.0 255.255.255.0 10.1.50.6 1
route INSIDE 192.168.11.0 255.255.255.0 10.0.28.2 1
route INSIDE 192.168.50.0 255.255.255.0 10.0.28.2 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
http server enable
http 0.0.0.0 0.0.0.0 OUTSIDE
snmp-server host INSIDE 192.168.50.21 community ***** version 2c
no snmp-server location
no snmp-server contact
snmp-server enable traps syslog
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpool policy
auto-import
quit
!
track 1 rtr 1 reachability
telnet timeout 2
ssh stricthostkeycheck
ssh 192.168.10.0 255.255.255.0 INSIDE
ssh 192.168.11.0 255.255.255.0 INSIDE
ssh 192.168.10.0 255.255.255.0 MGMT
ssh 192.168.11.0 255.255.255.0 MGMT
ssh timeout 2
ssh version 1 2
console timeout 2
console serial
threat-detection basic-threat
threat-detection statistics access-list
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
dynamic-access-policy-record DfltAccessPolicy
username admin password ***** pbkdf2 privilege 15
!
class-map inspection_default
match default-inspection-traffic
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
privilege show level 5 mode configure command filter
prompt hostname context
no call-home reporting anonymous
: end

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Aref Alsouqi
VIP
VIP

‎06-25-2023 04:06 PM

From the diagram I can't see how the management interface is connected. When you configure a management interface on the ASA, that interface will not be passing traffic with the other interfaces, it will have its own routing table and you have to connect to it directly, not passing through other interfaces of the firewall. Try to connect that interface to the core switch and place it in the MGMT VLAN, that should work.

View solution in original post

0 Helpful
9 Replies 9

Go to solution
MHM Cisco World
VIP
VIP

‎06-25-2023 03:35 PM - edited ‎06-25-2023 03:39 PM

If you try ping mgmt from host connect to inside' then by default asa will drop packet'

The asa not allow ping from interface to other interface.

You can ping only to INside interface if host connect to INside 

And for management you can add

Telnet 0.0.0.0 0.0.0.0 INSIDE 

0 Helpful

Go to solution
Flavio Miranda
VIP
VIP

‎06-25-2023 03:37 PM

Hi

Use the commamd

same-security-traffic permit inter-interface

0 Helpful

Go to solution
Mikee Hendricks
Level 1
Level 1
In response to Flavio Miranda

‎06-25-2023 04:09 PM

I already tried the command but unfortunately it still won't work.

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP

‎06-25-2023 04:06 PM

From the diagram I can't see how the management interface is connected. When you configure a management interface on the ASA, that interface will not be passing traffic with the other interfaces, it will have its own routing table and you have to connect to it directly, not passing through other interfaces of the firewall. Try to connect that interface to the core switch and place it in the MGMT VLAN, that should work.

0 Helpful

Go to solution
Mikee Hendricks
Level 1
Level 1
In response to Aref Alsouqi

‎06-25-2023 05:17 PM

I already connect the mgmt on the core switch and it works! Thank you.

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to Mikee Hendricks

‎06-25-2023 05:52 PM - edited ‎06-25-2023 05:53 PM

even if you ping OUTside from host connect to INside, the ping will failed (bot INside and OUTside in same routing table), this not relate to mgmt routing table, this default behave of ASA.
just want to notice you

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP
In response to MHM Cisco World

‎06-25-2023 06:27 PM

Although that is true unless you configure access management over a VPN, but the scenario with the dedicated management interface is slightly different in the sense that the firewall dedicated management interface is never meant to be accessed through the firewall itself because it is actually segregated from the other interfaces hence it has its own routing table. Also if you try to connect to a host connected to the management interface through the firewall itself that wouldn't work for the same reason, the management interface traffic wouldn't be routed to the normal interfaces.

Go to solution
MHM Cisco World
VIP
VIP
In response to Aref Alsouqi

‎06-25-2023 06:48 PM

Friend 
for example we have management interface and then we config one data interface with management only
here both interface will be in same routing table even so you can not  connect to management interface and try ping/telent to data interface.
this default behave of ASA, it not allow traffic enter from one interface and directed to ASA other interface.
the issue is not routing the issue is ASA security behave which drop the packet. 
that why I suggest to him if he connect his PC (get IP same as INside subnet) to INside then he can use INside as mgmt.

0 Helpful

Go to solution
Aref Alsouqi
VIP
VIP
In response to MHM Cisco World

‎06-26-2023 01:22 AM

Yes, we agree on this :). My point on the dedicated management interfaces is that usually we use them for OOB accesses, so from the design point of view we should have them connected to a switch potentially a separate switch to form OOB segment and potentially where we have yet an additional firewall to segregate the traffic to/from them. However, this won't be applicable to the normal data interfaces as you just can't terminate the traffic on them if you come from an opposite interface due to that default behaviour on the firewalls. The difference between using a data interface for management and a dedicated interface for management lies into having logically a separate routing table to segregate the traffic between the global routing table traffic and the management routing table, it is the same exact concept as when you use an SVI to manage a switch and when you use a dedicated management interface, on the switches there is more flexibility though because you can create an additional VRF and place the SVI into it and set its default gateway to a security device for the traffic segregation.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card