07-30-2013 10:56 AM - edited 03-11-2019 07:19 PM
How everyone
I hope you can help me with one issue I´m having with a new ASA 5512 with CX.
I´m trying to configure access to the management port on the ASA from one sub-network that had different IP addressing. I´m doing this, because my ASA does not allow me to disable the management only option of the port.
theres´s a way to do this?
Also, I´m not sure about changing the management network to other physical port on the ASA, because I´m unable to access the Primer Security Module from other port than the Management.
I have basic configuration.
Ip address with same security level on all the logical interfaces, also, I allowed traffic between same security level interfaces, and apply an ACL that allow all traffic between interfaces except the outside interface.
I hope you can help me with this.
Best Regards
Alvaro Rugama Cerda
Solved! Go to Solution.
07-31-2013 10:18 AM
The gateway address needs to be a downstream L3 device. Even if the traffic flows back through the ASA, that device needs to make that determination.
Typically you will have the management interface with an IP address in a given subnet with the gateway for that subnet on some internal router (or layer 3 SVI on an internal switch). That router or switch can route the traffic to/from the ASA management port as required if you put the static route on the ASA management port.
Please see the figures in the Configuration Guide here for more detail.
Is the ASA the only L3 device on your network? If so, you may need to explore some other options which we can suggest if that is the case.
07-30-2013 11:54 AM
Since the 5500-X series does not allow traffic coming through the box to go into the management port address directly, you need to put a static route in place on the management interface:
route management <dest_ip>
07-31-2013 10:00 AM
Hi Mr. Rhoads
I tried this right now, didn´t work, because I can not add a static route pointing a network that the ASA already knows.
Just to clarify, this ASA has 6 ports that can manage traffic, plus the management port. I´m trying to access the Prime Security Module that can only be accessed from the management from the network that is attach to port 1.
When I add that static route on the management port I received the error message:
%Invalid next hop address, it belongs to one of our interfaces"
Another tip that can help me?
Best Regards
Alvaro Rugama Cerda
07-31-2013 10:18 AM
The gateway address needs to be a downstream L3 device. Even if the traffic flows back through the ASA, that device needs to make that determination.
Typically you will have the management interface with an IP address in a given subnet with the gateway for that subnet on some internal router (or layer 3 SVI on an internal switch). That router or switch can route the traffic to/from the ASA management port as required if you put the static route on the ASA management port.
Please see the figures in the Configuration Guide here for more detail.
Is the ASA the only L3 device on your network? If so, you may need to explore some other options which we can suggest if that is the case.
07-31-2013 01:51 PM
Thank you for your help, now I´m cleared about that....
I have an SG500 that connects directly to my ASA, maybe I can use it to access the CX module.
Just one more question.
All my sub-networks need to have as gateway the SG500? or just the management network?
Thank you for the info again
Best Regards
Alvaro Rugama Cerda
07-31-2013 01:55 PM
Glad that helped. Thanks for the rating.
I can't answer your follow-on question accurately without seeing a lot more detail of the rest of your setup. There a lot of dependencies that influence how you should setup routing and more than one correct answer (along with lots of incorrect ones!).
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide