How to run Mgmt traffic to the Edge routers through the ASA5525-X

layer · ‎07-06-2018

Hi All,

I have Active/Standby ASA5525-X in a route mode - ASA Version 9.8(2)33

One IP on the inside, one on outside.

Outside do the site-to-site VPNs.

I have four layer 2 Cisco 2960 switches connected to the ASAs (two on outside and two on inside).

LAN routing is done by firewall which sits closer (than ASAs) to the LAN.

FW1 and FW2 have a dedicated interface with 10.1.200.1 assigned.

All four switches are reachable via SSH and 10.1.200.X.

Edge routers also uses 10.1.200.X for the mgmt.

All them mgmt connection do work as long my ASAs are in a transparent mode and vlan 200 is running through the ASAs via BVI interfaces.

Now I'm replacing transparent ASA for the routed ones and I don't know how I can run this mgmt connection ?

Business want to keep mgmt traffic completely seprate from the prod traffic so I'm struggling to find the best solution...

Should I by-pass ASAs and connect the cable from SW1 to SW3 and SW2 to SW4 ? STP will block on of the ports in this case (which is still fine)

or

there is an option to configure ASA to allow this type of connection (do I have to use a separate interface?).

Regards,

Marvin Rhoads · ‎07-07-2018

Easiest would be to connect the switches like you suggested.

Production traffic only uses the switches for L2 services and the L3 interfaces are on a separate SVI (VLAN or switched virtual interface) that is not exposed to the outside-the-ASA production traffic.

The routers' LAN-facing interfaces and ASAs' outside interfaces would be some new subnet (not 10.1.200.x).