Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1488
Views
0
Helpful
4
Replies

How to configure ASA to connect M0/0 from a Client in the inside zone?

ruagstefan
Level 1
Level 1

‎05-25-2011 06:32 AM - edited ‎03-11-2019 01:38 PM

Hi folks

How do I configure the ASA to access m0/0 from the CLIENT vlan? The L3 switch routes traffic correctly to the management vlan. However, the return traffic from the ASA would be sent thru F0/1 according to the routing table, but it is blocked by the implicit rule on the management interface.

From a client within the management vlan I can access the ASA without problems.

Thanks a lot for any advices.

asamgmt.JPG

Labels:
0 Helpful
4 Replies 4

Allen P Chen
Level 5
Level 5

‎05-25-2011 10:09 AM

Hello,

If I understand correctly, you would like to traffic from the client to reach the ASA through the management interface (m0/0), but you would like the return traffic from the ASA to the client to be routed through the ASA's fa0/1 interface?  This traffic is asymmetric, which is not supported by default on the ASA.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_qanda_item09186a00805b87d8.shtml

In software version 8.2(1) and above, a feature called TCP state bypass was introduced to deal with asymmetric traffic.  Here is the reference guide for this command:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s1.html#wp1428242

Hope this helps.

0 Helpful

ruagstefan
Level 1
Level 1
In response to Allen P Chen

‎05-25-2011 11:43 PM

Thank you for your reply. I think you got me wrong.

I don't want to set up asymmetric routing. My aim is to route returning-traffic, which is initiaded by a client from the client-vlan to the IP of m0/0, to send out of m0/0.

On the ASA I have two static routes:

- the default-route points to the encryptor's interface

- the for the Inside-Network the route points to the L3-switch (the CLIENT-vlan is part of this)

I can't set up a route on m0/0, because it's a "Management-only" interface.

I hope this clarifies my goal.

0 Helpful

Bastien Migette
Cisco Employee
Cisco Employee
In response to ruagstefan

‎05-26-2011 02:28 AM

On your interface Ma0/0, type no management-only, then you can can use your interface as a regular interface, so define nameif, security-level, ...

Hope this help.

0 Helpful

Allen P Chen
Level 5
Level 5
In response to ruagstefan

‎05-26-2011 10:00 AM

Hello,

The other person is correct, the management interface on the ASA can be used to pass traffic as well.  The following is mentioned in the ASA configuration guide:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/intrface.html#wp1085649

If you would like the management to function as a regular interface, you can enter the commands:

hostname(config)# interface management0/0

hostname(config-if)# no management-only

Here is the reference guide for this command:

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/m.html#wp2028112

Hope this helps.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card