You're close - the next hop address in the route statement should be the gateway address on VLAN 30 (i.e. the IP address of interface vlan 30).

You are telling the ASA's management interface to send any traffic it originates into your internal network. Once it goes there, the internal L3 switch will use its routing table to ascertain the correct next hop onwards - i.e. the ASA inside interface address.

But why do I just get this error then?

FW01(config)# route management 0 0 10.0.30.1
ERROR: Invalid next hop address 10.0.30.1, it matches our IP address

The 10.0.30.1 IS the ip address of interface vlan 30. (see asa-int.jpc attachment in my first post)

Hmm you're right - the screenshot shows you as .2, not .1.

Can you double check from CLI - "show ip address"?

Sorry, my mistake. I have changed from .2 to .1.

FW01# sh route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, + - replicated route

Gateway of last resort is 172.1.1.1 to network 0.0.0.0

S*    0.0.0.0 0.0.0.0 [1/0] via 172.1.1.1, Outside
C        10.0.10.0 255.255.255.0 is directly connected, Inside_Client
L        10.0.10.1 255.255.255.255 is directly connected, Inside_Client
C        10.0.20.0 255.255.255.0 is directly connected, Inside_Server
L        10.0.20.1 255.255.255.255 is directly connected, Inside_Server
C        10.0.30.0 255.255.255.0 is directly connected, management
L        10.0.30.1 255.255.255.255 is directly connected, management
C        10.0.40.0 255.255.255.0 is directly connected, Inside_WIFI
L        10.0.40.1 255.255.255.255 is directly connected, Inside_WIFI
C        10.0.41.0 255.255.255.0 is directly connected, Inside_WIFI_GUEST
L        10.0.41.1 255.255.255.255 is directly connected, Inside_WIFI_GUEST
C        10.0.50.0 255.255.255.0 is directly connected, Inside_Leilighet
L        10.0.50.1 255.255.255.255 is directly connected, Inside_Leilighet
C        10.0.60.0 255.255.255.0 is directly connected, Inside_Camera
L        10.0.60.1 255.255.255.255 is directly connected, Inside_Camera
C        172.1.1.0 255.255.255.0 is directly connected, Outside
L        172.1.1.2 255.255.255.255 is directly connected, Outside
C        180.0.0.0 255.255.255.0 is directly connected, DMZ
L        180.0.0.1 255.255.255.255 is directly connected, DMZ

FW01# sh ip
System IP Addresses:
Interface                Name                   IP address      Subnet mask     Method 
GigabitEthernet0/0       Outside                172.1.1.2       255.255.255.0   manual
GigabitEthernet0/1       DMZ                    180.0.0.1       255.255.255.0   manual
Management0/0            management             10.0.30.1       255.255.255.0   manual
Port-channel10.10        Inside_Client          10.0.10.1       255.255.255.0   manual
Port-channel10.20        Inside_Server          10.0.20.1       255.255.255.0   manual
Port-channel10.40        Inside_WIFI            10.0.40.1       255.255.255.0   manual
Port-channel10.41        Inside_WIFI_GUEST      10.0.41.1       255.255.255.0   manual
Port-channel10.50        Inside_Leilighet       10.0.50.1       255.255.255.0   manual
Port-channel10.60        Inside_Camera          10.0.60.1       255.255.255.0   manual
Current IP Addresses:
Interface                Name                   IP address      Subnet mask     Method 
GigabitEthernet0/0       Outside                172.1.1.2       255.255.255.0   manual
GigabitEthernet0/1       DMZ                    180.0.0.1       255.255.255.0   manual
Management0/0            management             10.0.30.1       255.255.255.0   manual
Port-channel10.10        Inside_Client          10.0.10.1       255.255.255.0   manual
Port-channel10.20        Inside_Server          10.0.20.1       255.255.255.0   manual
Port-channel10.40        Inside_WIFI            10.0.40.1       255.255.255.0   manual
Port-channel10.41        Inside_WIFI_GUEST      10.0.41.1       255.255.255.0   manual
Port-channel10.50        Inside_Leilighet       10.0.50.1       255.255.255.0   manual
Port-channel10.60        Inside_Camera          10.0.60.1       255.255.255.0   manual
FW01# 

So you need one address in the 10.0.30.0/24 and the SVI on your switch needs a different one.

Your "route management..." statement needs to point you to the switch's address.

Sorry, still the same.
(sorry for my ignorance if im missing something...i'm rather new in the field)

My C3650 switch has 10.0.30.3

FW01(config)# route management 0 0 10.0.30.3
ERROR: Cannot add route entry, conflict with existing routes

Switch config:
interface Vlan30
 description MGMT_VLAN
 ip address 10.0.30.3 255.255.255.0
!
ip default-gateway 10.0.30.1

Is it something like this you are thinking about:

On the switch:

conf t
ip routing
int gi0/44    <-----plugged into the management port on the asa
no switchport
ip address 10.0.30.2 255.255.255.0
no shutdown
ip route 0.0.0.0 0.0.0.0 10.0.30.1

on the asa
route management 0 0 10.0.30.2

If so, will the ip route on the switch be tge 10.0.30.1 address?

Can we back up and explain the desired behavior?

From your switch it appears you want to have the ASA management interface be the default route for traffic leaving the switch. That won't work - you need to specify a non-management interface on the ASA.

Shortly told, I want all devices on the management network (vlan30) to have internet connectivity. (switches, management pc's, asa, wap's, +++.) So they can reach time servers, update servers, the asa to reach botnet database and so on.

But maybe I am looking at it the wrong way..?

You have the switch setup with a routed port:

no switchport
ip address 10.0.30.2 255.255.255.0

It should be a switchport and then you would setup a VLAN interface instead.

int gi0/44

no ip address

switchport

switchport access vlan 30

int vlan 30
ip address 10.0.30.2 255.255.255.0

Direct the VLAN 30 devices to the switch VLAN 30 address as a gateway. Tell the switch to use the ASA inside interface as the default route.

ip route 0.0.0.0 0.0.0.0 10.0.10.1

Hi.
Thanks again for your help, but still a no go...

Gi0/44 has always been a switchport, and i have interface vlan30 with ip 10.0.30.3. 

I have now set ip route 0.0.0.0 0.0.0.0 10.0.10.1 on the switch, but vlan30 still can't access the internet.

SW01(config)#ip route 0.0.0.0 0.0.0.0 10.0.10.1
SW01(config)#do ping 8.8.8.8                   
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 8.8.8.8, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)

I have attached the switchconfig.

I mistakenly assumed your switch had a layer 3 interface in the 10.0.10.0/24 subnet. Without that, your new default route will not be able to reach the ASA.

Basically your 10.0.30.0 subnet needs a route via a reachable gateway to get to the ASA (on something other than the management interface) and thence on to the Internet.

Maybe the easyest way is to not use the management port and just create the management interface as a subinterface in the ASA, as the others, and manage it via the trunkport...

I'll do some research and see what i find.

Thanks for your help.

/f