cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Cisco ASA in Transparent Mode Management

phmazzoni
Beginner
Beginner

Hello,

I know that the Cisco ASA Transparent Mode implementation requires a management IP Address in order to pass traffic:

"For IPv4, a management IP address is required for both management traffic and for traffic to pass

through the adaptive security appliance. For multiple context mode, an IP address is required for

each context."

But is also supported to configure a dedicated management interface:

"You can configure an IP address (both IPv4 and IPv6) for the Management 0/0 or Management 0/1

management-only interface. This IP address can be on a separate subnet from the main management

IP address."

The question is:

In a multiple context mode with a transparent mode setup, if a dedicated management interface is configured per context, it is still necessary to configure a management IP on the same subnet of the Inside/Outside interfaces to allow the traffic to pass?

Thanks in advance,
Pedro Mazzoni

3 ACCEPTED SOLUTIONS

Accepted Solutions

Hi Pedro,

It is possible to do it:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/fwmode.html#wp1202704

"The transparent security appliance uses an inside  interface and an outside interface only. If your platform includes a  dedicated management interface, you can also configure the management  interface or subinterface for management traffic only."

Hope that helps!!

Cheers,

Prapanch

View solution in original post

My pleasure. Please mark this post as answered if there is nothing further.

View solution in original post

Hi Pedro,

Unfortunately, it's not possible to share interfaces in transparent mode:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008089f467.shtml#guide

"For multiple context mode, each context must use  different           interfaces; you cannot share an interface across contexts."

Cheers,

Prapanch

View solution in original post

14 REPLIES 14

praprama
Cisco Employee
Cisco Employee

Hi,

It is recommended to have managment IP for a transparent firewall (or a context) in the same subnet that it lies in. This is used for traffic sourced from the firewall like syslogs, AAA, etc. Also, please look the below link:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008089f467.shtml#inside

"If the destination MAC address is not in the       security appliance table, the security appliance attempts to discover  the MAC       address when it sends an ARP request and a ping. The first packet is  dropped."

So the ping that it sends to discover the MAC address of the next hop will be with a source IP address as the management IP that we have configured.

Again, even if we do not have this IP address or if we have it in a different subnet, things might still work fine but we might run into some unknown problems. Hope this helps.

All the best!!

Thanks and Regards,

Prapanch