- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-26-2017 05:28 PM - edited 02-21-2020 06:14 AM
ASA 5510 Management Port
Hello,
I'm facing problem configuring management port on ASA. I'm able to ping it only through VLAN 2 but not from any other VLAN and I want to get it assessible from all vlans.
In addition I want to setup ASDM access through the management, if that is possible.
Below is my ASA configuration
interface Ethernet0/0
nameif outside
security-level 0
ip address dhcp setroute
interface Management0/0
management-only
nameif management
security-level 100
ip address 172.16.2.1 255.255.255.0
interface Redundant1
member-interface Ethernet0/1
member-interface Ethernet0/2
nameif inside
security-level 100
ip address 172.16.1.254 255.255.255.0
show route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route
Gateway of last resort is 61.52.248.1 to network 0.0.0.0
C 61.52.248.0 255.255.248.0 is directly connected, outside
S 172.16.10.0 255.255.255.0 [1/0] via 172.16.1.250, inside
C 172.16.1.0 255.255.255.0 is directly connected, inside
C 172.16.2.0 255.255.255.0 is directly connected, management
d* 0.0.0.0 0.0.0.0 [1/0] via 61.52.248.1, outside
Below is the switch
interface FastEthernet1/0/1 Connected to ASA INSIDE
switchport access vlan 100
switchport mode access
spanning-tree portfast
interface FastEthernet1/0/2 Connected to ASA Management 0/0
switchport access vlan 2
switchport mode access
spanning-tree portfast
interface Vlan100
ip address 172.16.1.253 255.255.255.0
standby 1 ip 172.16.1.250
standby 1 priority 101
standby 1 preempt delay minimum 15
spanning-tree port-priority 128
interface Vlan2
ip address 172.16.2.254 255.255.255.0
Gateway of last resort is 172.16.1.254 to network 0.0.0.0 172.16.0.0/24 is subnetted, 4 subnets
C 172.16.50.0 is directly connected, Vlan50
C 172.16.10.0 is directly connected, Vlan10
C 172.16.1.0 is directly connected, Vlan100
C 172.16.2.0 is directly connected, Vlan2
S* 0.0.0.0/0 [1/0] via 172.16.1.254
CORE-SW-01# ping 172.16.2.1 source vlan 2
Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.2.1, timeout is 2 seconds: Packet sent with a source address of 172.16.2.254
!!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms
CORE-SW-01# ping 172.16.2.1 source vlan 10 T
ype escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.2.1, timeout is 2 seconds: Packet sent with a source address of 172.16.10.253
..... Success rate is 0 percent (0/5)
Please advise what I'm doing wrong here.
Solved! Go to Solution.
- Labels:
-
NGFW Firewalls
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-26-2017 06:54 PM
Hi
This is an expected behavior.
When you're trying to access your management interface from another vlan, the asa will lookup its routing table and the next hop will be your inside interface. Add you can see it's an asymmetric situation and the traffic is dropped.
Except if you have a real out of band management network or an asa module like ips or csc in your case with 5510, the management interface is useful otherwise it's useless.
On new boxes running version 9.5.1 minimum, you have a separate management routing table.
Thanks
PS: Please don't forget to rate and select as validated answer if this answered your question
Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-27-2017 11:16 AM
Instead of enabling http and ssh through management interface, enable it on your inside interface like:
http inside x.x.x.x x.x.x.x
Instead of http management x.x.x.x x.x.x.x
Thanks
PS: Please don't forget to rate and select as validated answer if this answered your question
Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-27-2017 08:38 PM
Hi
Class-map is used to classify some type of traffic.
Policy-map is like a main function that setup an action for each class-map you've configured.
Service-policy is the way to apply all those actions defined under policy-map to an interface.
Global-policy is the way to apply a policy-map to every interface (like the default inspect policy on asa)
Inspect is a way to track sub connections of the primary connection, to allow that traffic that's needed for the good working of some protocols). A detailed explanation for each inspection type, well explained, can be found here:
http://www.ciscopress.com/articles/article.asp?p=2104954
Hope that clarifies.
Thanks
PS: Please don't forget to rate and select as validated answer if this answered your question
Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-28-2017 08:52 AM
The minding behind is to monitor the traffic from inside to outside and allow automatically the response from the outside based on the session created.
Then if we take the icmp for example:
I bet you have an acl applied on your inside interface. If you want to authorize the icmp from your internal hosts to outside you'll need to manage a specific entry on your acl.
By adding the inspect icmp, you'll be able to authorize the icmp echo and echo reply dynamically without managing any acls. By default, without managing acls, an icmp echo reply arriving from outside to inside will be denied as security level of outside is lower compared to the inside one.
This is a high level view if i summarize it simply for a quick explanation.
There're many posts in the community where this question has been asked and replied. There's also Cisco documentation explaining it in details like:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/command/reference/cmd_ref/i2.html#wp1735986
I encourage you to take a look on those documentations to learn in detail how it works
Thanks
PS: Please don't forget to rate and select as validated answer if this answered your question
Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-26-2017 06:54 PM
Hi
This is an expected behavior.
When you're trying to access your management interface from another vlan, the asa will lookup its routing table and the next hop will be your inside interface. Add you can see it's an asymmetric situation and the traffic is dropped.
Except if you have a real out of band management network or an asa module like ips or csc in your case with 5510, the management interface is useful otherwise it's useless.
On new boxes running version 9.5.1 minimum, you have a separate management routing table.
Thanks
PS: Please don't forget to rate and select as validated answer if this answered your question
Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-27-2017 11:04 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-27-2017 11:16 AM
Instead of enabling http and ssh through management interface, enable it on your inside interface like:
http inside x.x.x.x x.x.x.x
Instead of http management x.x.x.x x.x.x.x
Thanks
PS: Please don't forget to rate and select as validated answer if this answered your question
Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-27-2017 11:31 AM
Awesome! 100% worked.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-27-2017 12:07 PM
Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-27-2017 05:36 PM
Why there is need for that? In real world why do we use and what are the particular inspect rules are doing in my ASA i.e. inspect ftp, icmp and many more.
I'm so confused.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-27-2017 08:38 PM
Hi
Class-map is used to classify some type of traffic.
Policy-map is like a main function that setup an action for each class-map you've configured.
Service-policy is the way to apply all those actions defined under policy-map to an interface.
Global-policy is the way to apply a policy-map to every interface (like the default inspect policy on asa)
Inspect is a way to track sub connections of the primary connection, to allow that traffic that's needed for the good working of some protocols). A detailed explanation for each inspection type, well explained, can be found here:
http://www.ciscopress.com/articles/article.asp?p=2104954
Hope that clarifies.
Thanks
PS: Please don't forget to rate and select as validated answer if this answered your question
Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-28-2017 05:43 AM
I thoughy if you add anything in class map i.e icmp it will allow the icmp.
why there is a need for inspection?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-28-2017 08:52 AM
The minding behind is to monitor the traffic from inside to outside and allow automatically the response from the outside based on the session created.
Then if we take the icmp for example:
I bet you have an acl applied on your inside interface. If you want to authorize the icmp from your internal hosts to outside you'll need to manage a specific entry on your acl.
By adding the inspect icmp, you'll be able to authorize the icmp echo and echo reply dynamically without managing any acls. By default, without managing acls, an icmp echo reply arriving from outside to inside will be denied as security level of outside is lower compared to the inside one.
This is a high level view if i summarize it simply for a quick explanation.
There're many posts in the community where this question has been asked and replied. There's also Cisco documentation explaining it in details like:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/command/reference/cmd_ref/i2.html#wp1735986
I encourage you to take a look on those documentations to learn in detail how it works
Thanks
PS: Please don't forget to rate and select as validated answer if this answered your question
Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
08-31-2017 06:04 AM
Also I have multiple network so can i have more than one inspection list?
