cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
4420
Views
35
Helpful
15
Replies

Cisco ASA 5512 - Internet access on management interface

Frank Nilsen
Level 1
Level 1

Hi.

Not sure if this is the right community, but I'll try.

The issue is internet Connectivity on the management Interface (physical port) on a ASA 5512-X - Se Attachment for topology.

I have set it up with different vlan interfaces (se attachment) and internet is working on all the VLAN's, but not on the management. (VLAN30)

Is this by design, or is it something I am missing?

 

Here are my NAT rules:
nat (management,Outside) source dynamic any interface description Internet for Management_VLAN
nat (Inside_Camera,Outside) source dynamic any interface description Internet for Server_VLAN
nat (Inside_Leilighet,Outside) source dynamic any interface description Internet for Server_VLAN
nat (Inside_WIFI,Outside) source dynamic any interface description Internet for Server_VLAN
nat (Inside_Server,Outside) source dynamic any interface description Internet for Server_VLAN
nat (Inside_Client,Outside) source dynamic any interface description Internet for Server_VLAN

ASA Version 9.3(1)

Any ideas anyone?

15 Replies 15

Marvin Rhoads
Hall of Fame
Hall of Fame

Traffic originating on (or coming into) the management interface cannot flow through the ASA (e.g to go outbound to the internet). This is by design and documented here.

If you need traffic originating from the management interface to reach the Internet, you need to add a default route specific to the management interface. For example, if your gateway on VLAN 30 is 192.168.30.1, you would need:

route management 0 0 192.168.30.1

You're close - the next hop address in the route statement should be the gateway address on VLAN 30 (i.e. the IP address of interface vlan 30).

You are telling the ASA's management interface to send any traffic it originates into your internal network. Once it goes there, the internal L3 switch will use its routing table to ascertain the correct next hop onwards - i.e. the ASA inside interface address.

But why do I just get this error then?

FW01(config)# route management 0 0 10.0.30.1
ERROR: Invalid next hop address 10.0.30.1, it matches our IP address

The 10.0.30.1 IS the ip address of interface vlan 30. (see asa-int.jpc attachment in my first post)

 

Hmm you're right - the screenshot shows you as .2, not .1.

Can you double check from CLI - "show ip address"?

Sorry, my mistake. I have changed from .2 to .1.

 

FW01# sh route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, + - replicated route

Gateway of last resort is 172.1.1.1 to network 0.0.0.0

S*    0.0.0.0 0.0.0.0 [1/0] via 172.1.1.1, Outside
C        10.0.10.0 255.255.255.0 is directly connected, Inside_Client
L        10.0.10.1 255.255.255.255 is directly connected, Inside_Client
C        10.0.20.0 255.255.255.0 is directly connected, Inside_Server
L        10.0.20.1 255.255.255.255 is directly connected, Inside_Server
C        10.0.30.0 255.255.255.0 is directly connected, management
L        10.0.30.1 255.255.255.255 is directly connected, management
C        10.0.40.0 255.255.255.0 is directly connected, Inside_WIFI
L        10.0.40.1 255.255.255.255 is directly connected, Inside_WIFI
C        10.0.41.0 255.255.255.0 is directly connected, Inside_WIFI_GUEST
L        10.0.41.1 255.255.255.255 is directly connected, Inside_WIFI_GUEST
C        10.0.50.0 255.255.255.0 is directly connected, Inside_Leilighet
L        10.0.50.1 255.255.255.255 is directly connected, Inside_Leilighet
C        10.0.60.0 255.255.255.0 is directly connected, Inside_Camera
L        10.0.60.1 255.255.255.255 is directly connected, Inside_Camera
C        172.1.1.0 255.255.255.0 is directly connected, Outside
L        172.1.1.2 255.255.255.255 is directly connected, Outside
C        180.0.0.0 255.255.255.0 is directly connected, DMZ
L        180.0.0.1 255.255.255.255 is directly connected, DMZ

FW01# sh ip
System IP Addresses:
Interface                Name                   IP address      Subnet mask     Method 
GigabitEthernet0/0       Outside                172.1.1.2       255.255.255.0   manual
GigabitEthernet0/1       DMZ                    180.0.0.1       255.255.255.0   manual
Management0/0            management             10.0.30.1       255.255.255.0   manual
Port-channel10.10        Inside_Client          10.0.10.1       255.255.255.0   manual
Port-channel10.20        Inside_Server          10.0.20.1       255.255.255.0   manual
Port-channel10.40        Inside_WIFI            10.0.40.1       255.255.255.0   manual
Port-channel10.41        Inside_WIFI_GUEST      10.0.41.1       255.255.255.0   manual
Port-channel10.50        Inside_Leilighet       10.0.50.1       255.255.255.0   manual
Port-channel10.60        Inside_Camera          10.0.60.1       255.255.255.0   manual
Current IP Addresses:
Interface                Name                   IP address      Subnet mask     Method 
GigabitEthernet0/0       Outside                172.1.1.2       255.255.255.0   manual
GigabitEthernet0/1       DMZ                    180.0.0.1       255.255.255.0   manual
Management0/0            management             10.0.30.1       255.255.255.0   manual
Port-channel10.10        Inside_Client          10.0.10.1       255.255.255.0   manual
Port-channel10.20        Inside_Server          10.0.20.1       255.255.255.0   manual
Port-channel10.40        Inside_WIFI            10.0.40.1       255.255.255.0   manual
Port-channel10.41        Inside_WIFI_GUEST      10.0.41.1       255.255.255.0   manual
Port-channel10.50        Inside_Leilighet       10.0.50.1       255.255.255.0   manual
Port-channel10.60        Inside_Camera          10.0.60.1       255.255.255.0   manual
FW01# 

So you need one address in the 10.0.30.0/24 and the SVI on your switch needs a different one.

Your "route management..." statement needs to point you to the switch's address.

Sorry, still the same.
(sorry for my ignorance if im missing something...i'm rather new in the field)

 

My C3650 switch has 10.0.30.3

FW01(config)# route management 0 0 10.0.30.3
ERROR: Cannot add route entry, conflict with existing routes

Switch config:
interface Vlan30
 description MGMT_VLAN
 ip address 10.0.30.3 255.255.255.0
!
ip default-gateway 10.0.30.1

Is it something like this you are thinking about:

On the switch:

conf t
ip routing
int gi0/44    <-----plugged into the management port on the asa
no switchport
ip address 10.0.30.2 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 10.0.30.1

on the asa
route management 0 0 10.0.30.2

If so, will the ip route on the switch be tge 10.0.30.1 address?

 

Can we back up and explain the desired behavior?

From your switch it appears you want to have the ASA management interface be the default route for traffic leaving the switch. That won't work - you need to specify a non-management interface on the ASA.

Shortly told, I want all devices on the management network (vlan30) to have internet connectivity. (switches, management pc's, asa, wap's, +++.) So they can reach time servers, update servers, the asa to reach botnet database and so on.

But maybe I am looking at it the wrong way..?

 

 

 

You have the switch setup with a routed port:

no switchport
ip address 10.0.30.2 255.255.255.0

It should be a switchport and then you would setup a VLAN interface instead.

int gi0/44

no ip address

switchport

switchport access vlan 30

int vlan 30
ip address 10.0.30.2 255.255.255.0

Direct the VLAN 30 devices to the switch VLAN 30 address as a gateway. Tell the switch to use the ASA inside interface as the default route.

ip route 0.0.0.0 0.0.0.0 10.0.10.1

Hi.
Thanks again for your help, but still a no go...

 

Gi0/44 has always been a switchport, and i have interface vlan30 with ip 10.0.30.3. 

I have now set ip route 0.0.0.0 0.0.0.0 10.0.10.1 on the switch, but vlan30 still can't access the internet.

SW01(config)#ip route 0.0.0.0 0.0.0.0 10.0.10.1
SW01(config)#do ping 8.8.8.8                   
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

I have attached the switchconfig.

I mistakenly assumed your switch had a layer 3 interface in the 10.0.10.0/24 subnet. Without that, your new default route will not be able to reach the ASA.

Basically your 10.0.30.0 subnet needs a route via a reachable gateway to get to the ASA (on something other than the management interface) and thence on to the Internet.

Maybe the easyest way is to not use the management port and just create the management interface as a subinterface in the ASA, as the others, and manage it via the trunkport...

I'll do some research and see what i find.

Thanks for your help.

 

/f

Review Cisco Networking for a $25 gift card