hi jon,

thanks for your time looking into my problem.

my bad, was editing the actual visio. so let's say it's x.y.z.0/27 for the VM server subnet (VLAN 8) then have x.y.z.248/29 for the WAN between the router and FW.

if you'll trace the dotted lines: if a VM server (in VLAN 8) wants to talk to any SW or infra device (on VLAN 4), it goes through the router (in a VRF) > to the FW (outside) > apply the SSH/SNMP policy/rules > routes to infra/SW LAN (in VLAN 4) 

can i still use a.b.c.30/27 IP for FW MGMT. reason behind, is i don't want to do re-IP the FW (and other FW config).

i hope this make sense :)

No problem, I did think you were using the firewall to control traffic between vlans. 

Sorry for all the questions but just to clarify again a.b.c.30/27 is part of the a.b.c.0/27 subnet. 

Do you mean use the a.b.c.32/27 subnet for management ? 

Jon

---

 

Sorry for all the questions but just to clarify again a.b.c.30/27 is part of the a.b.c.0/27 subnet. 

 

Do you mean use the a.b.c.32/27 subnet for management ? 

 

Jon

---

your understanding is correct, a.b.c.30/27 FW MGMT IP is part of the a.b.c.0/27 SW/infra LAN subnet. 

will this have any issue with FW remote access or routing issue?

hi jon,

thanks for clearing my doubts!

have a great weekend!

John 

Sincere apologies but I knew there was something bothering me about it.

You will be able to access the firewall if you are in that subnet but it will mess up the routing between the two VRFs on the firewall because now the firewall has a interface in the a.b.c.0/27 subnet so traffic will not flow properly between the VRFs and may not work with the state tables on the firewall. 

Why not use a new IP subnet and route it off the router but not via the firewall and simply add it to the LAN VRF. 

Jon

hi jon,

thanks for your feedback!

there's something peculiar on my design that's why i want a fresh set of eyes to validate it.

so my remote NMS (to manage FW and LAN/SW devices) will come from another WAN interface (separate VRF) on the GW/router: NMS > WAN (say WAN VRF) > GW > LAN VRF a.b.c.0/27, therefore our NMS will not route via the FW (outside to inside).

correct me if i'm wrong, the MGMT interface is not a routed interface (read somewhere it might be on newer code). therefore, it won't mess up with the FW route/state table?

You just caught me before logging off.  

I think that's the key point, whether or not the management interface on the firewall is a routed interface and would be seen as a directly connected interface in the firewall routing table in which case it won't work properly as far as I can see. 

What is the firewall model and what version of code are you running ? 

If it was seen in the routing table then you could just do as I suggested in the last post ie. use a new subnet, add it to the LAN VRF and route it off the router. 

Jon

hi jon,

it's a ASA5506-X ver 9.8

i haven't configured yet the FW 'outside' and 'inside' interface and its routing, FW is only configured for remote access/MGMT for now.

i checked routing table for MGMT interface is 'blank' so would that mean my original design would work?

# sh ver

Cisco Adaptive Security Appliance Software Version 9.8(2)
Firepower Extensible Operating System Version 2.2(2.52)
Device Manager Version 7.8(2)

# sh run int m1/1
!
interface Management1/1
 management-only
 nameif MGMT
 security-level 100
 ip address 172.b.c.30 255.255.255.224

# sh route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, + - replicated route
Gateway of last resort is not set
<BLANK>

# sh arp
        MGMT 172.b.c.7 dceb.9415.0123 8327
        MGMT 172.b.c.1 c89c.1d83.0456 8837

# ping 172.b.c.1   <<< LAN GW (LAN VRF)
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.b.c.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/10 ms

Haven't used that model but as far as I can tell the problem you will have is if it not seen in the routing table yes you could manage it but only from a device in the same subnet because you cannot add routes for remote subnets and your NMS is on a remote subnet. 

I will have a read of the docs if I get the chance tomorrow and see what options there are for the management interface. 

Jon