OK Prapanch, thanks for the reply.

As far as I understood it, please correct me if I am wrong, even if I do NOT configure a global IP address for a context in the same subnet of the connected subnet, and only configure a dedicated physical "out of band" management interface, like management0/0, things might still work.

The questions are:

1 - The IP packets generated from ASA will be sourced with the management IP?

2 - Is it possible to use the management interface for the "ASA generated" packets, like AAA, syslog and NTP?

3 - You wrote that "things might still work". Could you please detail it? Which "things" will work and which not?

Thanks in advance!

Pedro Mazzoni

Hi Pedro,

> even if I do NOT configure a global IP address for a context in the same  subnet of the connected subnet, and only configure a dedicated physical  "out of band" management interface, like management0/0, things might still work

I think the important word above is might as i have bolded out. I have never tried this out but my guess is that there will be issues passing traffic through the ASA as i said in the last mail about the ARP request and the ping which will not work fine.

> 2 - Is it possible to use the management interface for the "ASA  generated" packets, like AAA, syslog and NTP?

This, i think, is not possible. The ASA will use the global management IP address for such traffic. The management interface is used only for remote management of the ASA.

> 3 - You wrote that "things might still work". Could you please detail  it? Which "things" will work and which not?

I can not be sure of what will work and where you will face problems. I have just seen in some instances where in the management IP is in a different subnet and still things were working smoothly (though some issues did come up later on). hence, my suggestion will be to have a management IP for the transparent firewall as the configuration guide says.

An importnat thing i wanted to get to your notice was:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/fwmode.html#wp1201980

In transparent firewall mode, the management  interface updates the MAC address table in the same manner as a data  interface; therefore you should not connect both a management and a data  interface to the same switch unless you configure one of the switch  ports as a routed port (by default Cisco Catalyst switches share a MAC  address for all VLAN switch ports). Otherwise, if traffic arrives on the  management interface from the physically-connected switch, then the  adaptive security appliance updates the MAC address table to use the management interface to access the switch,  instead of the data interface. This action causes a temporary traffic  interruption; the adaptive security appliance will not re-update the MAC  address table for packets from the switch to the data interface for at  least 30 seconds for security reasons.

Hence to conclude, management IP is a must for the transparent firewall even if we have a dedicated management interface. The management interface is used only for remote management of the firewall.

Regards,

Prapanch

Thanks again Prapanch!

So the ASA originated packets(AAA,Syslog,...) will have the global management IP source address, and not the management interface address.

Just one more question, do you think it is possible to route the AAA originated traffic(AAA,Syslog,...) through the management interface, even if those packets are formed with the global management IP source address?

Regards,

Pedro Mazzoni

Hi,

I would assume that if the AAA/syslog servers are routed out thourgh the management interface, then it might work this way.

regards,

Prapanch

Hello,

When working in transparent mode with multiple context configuration it is possible to allocate at most 2 interfaces per context:

ERROR: You can allocate at most (2) data interfaces to a context

But is it possible to allocate dedicated management interfaces to contexts?

i.e.:

interface management 0/0.1 : Admin Context MANAGEMENT(management-only)

interface management 0/0.2 : Context 1 MANAGEMENT(management-only)

interface management 0/0.3 : Context 2 MANAGEMENT(management-only)

interface gi 3/0 : Context 1 INSIDE

interface gi 3/1 : Context  OUTSIDE

interface gi 3/2 : Context 1 INSIDE

interface gi 3/3 : Context  OUTSIDE

Thanks in advance,

Pedro Mazzoni

Thanks Prapanch!

Just one more question, when working with multiple context in transparent mode, can I share the management interface or I will have to create the subinterfaces?

Hello Vijay,

As you say you can use another one, That's correct but the thing is that the management IP is not only used for management purporses.

That's were you are missing the point.

That IP address assigned to the ASA as a whole will also be used for ARP requests when the ASA does not know where the destination hosts lies and it's not on the same subnet than the ASA.

It will also be used as a source for packets going to a syslog server, AAA server, Netflow server, SNMP server and any packet that the ASA will need to create so with that in mind the routing of the network will need to be changed to work with this.

If you get to accomplish that the routing of the network works with a different Management IP address on the transparent address then you can do it. I can ensure you I have seen this scenario before working with no issues at all bud.

Just to remember rate all of the helpful posts like this one

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

thanx jcarvaja