Solved: Cisco ASA 5510 Management Port

Rockyy · ‎08-26-2017

Hello,

I'm facing problem configuring management port on ASA. I'm able to ping it only through VLAN 2 but not from any other VLAN and I want to get it assessible from all vlans.

In addition I want to setup ASDM access through the management, if that is possible.

Below is my ASA configuration

interface Ethernet0/0

nameif outside

security-level 0

ip address dhcp setroute

interface Management0/0

management-only

nameif management

security-level 100

ip address 172.16.2.1 255.255.255.0

interface Redundant1

member-interface Ethernet0/1

member-interface Ethernet0/2

nameif inside

security-level 100

ip address 172.16.1.254 255.255.255.0

show route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route

Gateway of last resort is 61.52.248.1 to network 0.0.0.0

C 61.52.248.0 255.255.248.0 is directly connected, outside

S 172.16.10.0 255.255.255.0 [1/0] via 172.16.1.250, inside

C 172.16.1.0 255.255.255.0 is directly connected, inside

C 172.16.2.0 255.255.255.0 is directly connected, management

d* 0.0.0.0 0.0.0.0 [1/0] via 61.52.248.1, outside

Below is the switch

interface FastEthernet1/0/1 Connected to ASA INSIDE

switchport access vlan 100

switchport mode access

spanning-tree portfast

interface FastEthernet1/0/2 Connected to ASA Management 0/0

switchport access vlan 2

switchport mode access

spanning-tree portfast

interface Vlan100

ip address 172.16.1.253 255.255.255.0

standby 1 ip 172.16.1.250

standby 1 priority 101

standby 1 preempt delay minimum 15

spanning-tree port-priority 128

interface Vlan2

ip address 172.16.2.254 255.255.255.0

Gateway of last resort is 172.16.1.254 to network 0.0.0.0 172.16.0.0/24 is subnetted, 4 subnets

C 172.16.50.0 is directly connected, Vlan50

C 172.16.10.0 is directly connected, Vlan10

C 172.16.1.0 is directly connected, Vlan100

C 172.16.2.0 is directly connected, Vlan2

S* 0.0.0.0/0 [1/0] via 172.16.1.254

CORE-SW-01# ping 172.16.2.1 source vlan 2

Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.2.1, timeout is 2 seconds: Packet sent with a source address of 172.16.2.254

!!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms

CORE-SW-01# ping 172.16.2.1 source vlan 10 T

ype escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.2.1, timeout is 2 seconds: Packet sent with a source address of 172.16.10.253

..... Success rate is 0 percent (0/5)

Please advise what I'm doing wrong here.

Francesco Molino · ‎08-26-2017

Hi

This is an expected behavior.

When you're trying to access your management interface from another vlan, the asa will lookup its routing table and the next hop will be your inside interface. Add you can see it's an asymmetric situation and the traffic is dropped.

Except if you have a real out of band management network or an asa module like ips or csc in your case with 5510, the management interface is useful otherwise it's useless.

On new boxes running version 9.5.1 minimum, you have a separate management routing table.

Thanks

PS: Please don't forget to rate and select as validated answer if this answered your question

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Francesco Molino · ‎08-27-2017

Instead of enabling http and ssh through management interface, enable it on your inside interface like:

http inside x.x.x.x x.x.x.x

Instead of http management x.x.x.x x.x.x.x

Thanks

PS: Please don't forget to rate and select as validated answer if this answered your question

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Francesco Molino · ‎08-27-2017

Hi

Class-map is used to classify some type of traffic.

Policy-map is like a main function that setup an action for each class-map you've configured.

Service-policy is the way to apply all those actions defined under policy-map to an interface.

Global-policy is the way to apply a policy-map to every interface (like the default inspect policy on asa)

Inspect is a way to track sub connections of the primary connection, to allow that traffic that's needed for the good working of some protocols). A detailed explanation for each inspection type, well explained, can be found here:

http://www.ciscopress.com/articles/article.asp?p=2104954

Hope that clarifies.

Thanks

PS: Please don't forget to rate and select as validated answer if this answered your question

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Francesco Molino · ‎08-28-2017

The minding behind is to monitor the traffic from inside to outside and allow automatically the response from the outside based on the session created.

Then if we take the icmp for example:

I bet you have an acl applied on your inside interface. If you want to authorize the icmp from your internal hosts to outside you'll need to manage a specific entry on your acl.

By adding the inspect icmp, you'll be able to authorize the icmp echo and echo reply dynamically without managing any acls. By default, without managing acls, an icmp echo reply arriving from outside to inside will be denied as security level of outside is lower compared to the inside one.

This is a high level view if i summarize it simply for a quick explanation.

There're many posts in the community where this question has been asked and replied. There's also Cisco documentation explaining it in details like:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/command/reference/cmd_ref/i2.html#wp1735986

I encourage you to take a look on those documentations to learn in detail how it works

Thanks

PS: Please don't forget to rate and select as validated answer if this answered your question

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Francesco Molino · ‎08-26-2017

Hi

This is an expected behavior.

When you're trying to access your management interface from another vlan, the asa will lookup its routing table and the next hop will be your inside interface. Add you can see it's an asymmetric situation and the traffic is dropped.

Except if you have a real out of band management network or an asa module like ips or csc in your case with 5510, the management interface is useful otherwise it's useless.

On new boxes running version 9.5.1 minimum, you have a separate management routing table.

Thanks

PS: Please don't forget to rate and select as validated answer if this answered your question

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Rockyy · ‎08-27-2017

So how will be I able to access the ASDM in my scenario?

Francesco Molino · ‎08-27-2017

Instead of enabling http and ssh through management interface, enable it on your inside interface like:

http inside x.x.x.x x.x.x.x

Instead of http management x.x.x.x x.x.x.x

Thanks

PS: Please don't forget to rate and select as validated answer if this answered your question

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Rockyy · ‎08-27-2017

Awesome! 100% worked.

Francesco Molino · ‎08-27-2017

Happy to help! 👍🏻

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Rockyy · ‎08-27-2017

Thanks! I've studied a lot of forums but still unable to understand what is class_map, policy_map, global_policy and service.

Why there is need for that? In real world why do we use and what are the particular inspect rules are doing in my ASA i.e. inspect ftp, icmp and many more.

I'm so confused.

Francesco Molino · ‎08-27-2017

Hi

Class-map is used to classify some type of traffic.

Policy-map is like a main function that setup an action for each class-map you've configured.

Service-policy is the way to apply all those actions defined under policy-map to an interface.

Global-policy is the way to apply a policy-map to every interface (like the default inspect policy on asa)

Inspect is a way to track sub connections of the primary connection, to allow that traffic that's needed for the good working of some protocols). A detailed explanation for each inspection type, well explained, can be found here:

http://www.ciscopress.com/articles/article.asp?p=2104954

Hope that clarifies.

Thanks

PS: Please don't forget to rate and select as validated answer if this answered your question

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Rockyy · ‎08-28-2017

SO basically we can use all above to jnspect the traffic whats going out and coming in?

I thoughy if you add anything in class map i.e icmp it will allow the icmp.

why there is a need for inspection?

Francesco Molino · ‎08-28-2017

The minding behind is to monitor the traffic from inside to outside and allow automatically the response from the outside based on the session created.

Then if we take the icmp for example:

I bet you have an acl applied on your inside interface. If you want to authorize the icmp from your internal hosts to outside you'll need to manage a specific entry on your acl.

By adding the inspect icmp, you'll be able to authorize the icmp echo and echo reply dynamically without managing any acls. By default, without managing acls, an icmp echo reply arriving from outside to inside will be denied as security level of outside is lower compared to the inside one.

This is a high level view if i summarize it simply for a quick explanation.

There're many posts in the community where this question has been asked and replied. There's also Cisco documentation explaining it in details like:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa82/command/reference/cmd_ref/i2.html#wp1735986

I encourage you to take a look on those documentations to learn in detail how it works

Thanks

PS: Please don't forget to rate and select as validated answer if this answered your question

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Rockyy · ‎08-31-2017

Hey bud, what is the best practice for inspection? Should I keep the defauly one or change it to custom?

Also I have multiple network so can i have more than one inspection list?

Cisco ASA 5510 Management Port

ASA 5510 Management Port

Port-Security - Configuração Básica

ISE - Identity Management

Managed Cellular Activation with Cisco eSIM

3.4 Identity Management

VCF Operations Management Pack for Cisco Intersight