12-31-2012 06:53 AM - edited 03-11-2019 05:42 PM
ASA Version 8.6(1)2 = ***Unable to access the management interface using SSH, HTTP and Telnet***
We have a Cisco ASA 5512-X which is running in transparent mode.
The firewall is forwarding traffic from our inside to outside interface with the use of a single BVI interface and bridge group.
However, when we bring the management interface up, our transparency feature stops working.
Is there a specific way to allow both transparency and management access to work?
12-31-2012 07:32 AM
Hi,
Personally I have not really used ASAs in Transparent mode, but the below quote from the Configuration Guide for your software might be the situation you are running into?
In transparent firewall mode, the management interface updates the MAC address table in the same
manner as a data interface; therefore you should not connect both a management and a data interface to
the same switch unless you configure one of the switch ports as a routed port (by default Cisco Catalyst
switches share a MAC address for all VLAN switch ports). Otherwise, if traffic arrives on the
management interface from the physically-connected switch, then the ASA updates the MAC address
table to use the management interface to access the switch, instead of the data interface. This action
causes a temporary traffic interruption; the ASA will not re-update the MAC address table for packets
from the switch to the data interface for at least 30 seconds for security reasons.
Also theres this
The default route for the transparent firewall, which is required to provide a return path for
management traffic, is only applied to management traffic from one bridge group network. This is
because the default route specifies an interface in the bridge group as well as the router IP address
on the bridge group network, and you can only define one default route. If you have management
traffic from more than one bridge group network, you need to specify a static route that identifies
the network from which you expect management traffic.
and Finally
Unlike routed mode, which requires an IP address for each interface, a transparent firewall has an
IP address assigned to the entire bridge group. The ASA uses this IP address as the source address
for packets originating on the ASA, such as system messages or AAA communications. In addition
to the bridge group management address, you can optionally configure a management interface for
some models; see the “Management Interface” section on page 6-2 for more information.
The management IP address must be on the same subnet as the connected network. You cannot set
the subnet to a host subnet (255.255.255.255). The ASA does not support traffic on secondary
networks; only traffic on the same network as the management IP address is supported. See the
“Configuring Bridge Groups” section on page 9-7 for more information about management IP
subnets.
Hopefully the above are of some help? I guess it would also be possible to manage the ASA using the IP address configured for the Data interfaces (BVI I guess)
The whole document can be found at (Document title suggest it applies to the new 55xx-X series also running 8.6 software)
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/asa_84_cli_config.html
- Jouni
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide