cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

531
Views
0
Helpful
5
Replies
Alvaro Rugama
Beginner

Issue with Management Port

How everyone

I hope you can help me with one issue I´m having with a new ASA 5512 with CX.

I´m trying to configure access to the management port on the ASA from one sub-network that had different IP addressing. I´m doing this, because my ASA does not allow me to disable the management only option of the port.

theres´s a way to do this?

Also, I´m not sure about changing the management network to other physical port on the ASA, because I´m unable to access the Primer Security Module from other port than the Management.

I have basic configuration.

Ip address with same security level on all the logical interfaces, also, I allowed traffic between same security level interfaces, and apply an ACL that allow all traffic between interfaces except the outside interface.

I hope you can help me with this.

Best Regards

Alvaro Rugama Cerda

1 ACCEPTED SOLUTION

Accepted Solutions

The gateway address needs to be a downstream L3 device. Even if the traffic flows back through the ASA, that device needs to make that determination.

Typically you will have the management interface with an IP address in a given subnet with the gateway for that subnet on some internal router (or layer 3 SVI on an internal switch). That router or switch can route the traffic to/from the ASA management port as required if you put the static route on the ASA management port.

Please see the figures in the Configuration Guide here for more detail.

Is the ASA the only L3 device on your network? If so, you may need to explore some other options which we can suggest if that is the case.

View solution in original post

5 REPLIES 5
Marvin Rhoads
VIP Community Legend

Since the 5500-X series does not allow traffic coming through the box to go into the management port address directly, you need to put a static route in place on the management interface:

     route management <dest_ip>

Hi Mr. Rhoads

I tried this right now, didn´t work, because I can not add a static route pointing a network that the ASA already knows.

Just to clarify, this ASA has 6 ports that can manage traffic, plus the management port. I´m trying to access the Prime Security Module that can only be accessed from the management from the network that is attach to port 1.

When I add that static route on the management port I received the error message:

%Invalid next hop address, it belongs to one of our interfaces"

Another tip that can help me?

Best Regards

Alvaro Rugama Cerda

The gateway address needs to be a downstream L3 device. Even if the traffic flows back through the ASA, that device needs to make that determination.

Typically you will have the management interface with an IP address in a given subnet with the gateway for that subnet on some internal router (or layer 3 SVI on an internal switch). That router or switch can route the traffic to/from the ASA management port as required if you put the static route on the ASA management port.

Please see the figures in the Configuration Guide here for more detail.

Is the ASA the only L3 device on your network? If so, you may need to explore some other options which we can suggest if that is the case.

View solution in original post

Thank you for your help, now I´m cleared about that....

I have an SG500 that connects directly to my ASA, maybe I can use it to access the CX module.

Just one more question.

All my sub-networks need to have as gateway the SG500? or just the management network?

Thank you for the info again

Best Regards

Alvaro Rugama Cerda

Glad that helped. Thanks for the rating.

I can't answer your follow-on question accurately without seeing a lot more detail of the rest of your setup. There a lot of dependencies that influence how you should setup routing and more than one correct answer (along with lots of incorrect ones!).

Content for Community-Ad