Management ASA from VLANs

Hi all, i want that all my Vlan defined on Switch can access dedicated Management interface of ASA. I can only access only from VLAN 1 and not from other vlans.  (attached is a small scheme)  When try, from any vlans, to ping interface Management of ASA( i have this error on ASA: "Routing failed to locate next hop for icmp from Management: to Management:", works instead from Vlan1.

It is as if the ASA is not able to send the return packet. 

Debug on switch: package is routed to Asa. 

Capture on Asa: only echo request and there isnt packet reply.  

On switch Core i have define this vlan: 











with default route (ASA).  

I attached config of ASA. 

What could be wrong? 

Let me know please. 

Thanks all.


Hi Marco,

Your ASA doesn't know those network exist as their no routes in the ASA routing table.

You will need to add routes for all thos vlans above (see example below).

route management "subnet mask"

or you can add:

route management

route management

route management

route management




Hi Terence,

thanks for reply. In config now there are this routes but on LAN Interface:

route LAN 1

route LAN 1

route LAN 1

route LAN 1

route LAN 1

route LAN 1

route LAN 1

route LAN 1

route LAN 1

than for all network i change only interface with MANAGEMENT?

By doing so all traffic is routed on Managment interface, but i want use Managment Interface only for Management ASDM of ASA, other traffic must rotate on LAN interface. It's possibile?

Thanks in advance.

It's not possible with your setup.

Either you dedicate a VLAN for management and do the routing as Terence said,  or you enable ASDM access on the inside interface and you will be able to access it from all the VLANs, unless of course you restrict the ASDM access on the ASA.


Hi oszkari,

i have a vlan of managment (, if i do a "show route" on ASA i see that network in directly connected:

C    Rete_FASTWEB is directly connected, OUTSIDE

C is directly connected, VOIP

C    Rete_INTERNAL is directly connected, LAN

S    Rete_PRDIT [1/0] via, LAN

S    Rete_GuestWiFi [1/0] via, LAN

S    Rete_TEST [1/0] via, LAN

S [1/0] via, OUTSIDE

C    Rete_MNGM is directly connected, Management

S    Rete_SMD [1/0] via, LAN

S    Rete_CLIENT [1/0] via, LAN

S    Rete_PLC [1/0] via, LAN

S    Rete_PRDBR [1/0] via, LAN

S    Rete_SERVER [1/0] via, LAN

how can I accomplish this?



Hi Marco,

If you want to use your management interface there are two things you can do:

1. with the current setup the options are quite limited because you will end up with asymmetric routing which will cause you issues.  However you can put your PC in the management vlan (VLAN1 if i'm not wrong) and assign to it  an IP from that subnet ( then you can  use the management interface to access ASDM. The issue with this approach is that you will go to the internet using the same path trough the management interface, not sure if you want to do that.

2.  create a true OOB management network using a dedicated management sw where you connect all your management interfaces from all your devices then connect this switch to your network. For protection you can place a FW between your management network and your production network. If you don't have a fw for that simple ACLs will do the job.   What is important is to have  a NAT capable L3 device between the management and production network. You need the NAT to fix the asymetric routing issue, so when you connect to the management intarface your PC ip is going to be NAT-ed to an IP from the management network ( 255)

Hi oszkari,

with solution 1 on switch core defined Vlan1 and i can access only from this vlan to subnet

The real issue is that as you said using the same path(management and internet) and this is what I want to avoid.

Solution 2 if i undestand it, use a switch and connect  management of all devices and connect to my network than use a NAT  device for natting.

p.s.I already have all devices on this vlan managment and works fine, only ASA can not handle the management.

A tip you think that route on ASA (route LAN 1) has no reason to exist true?



Hi Marco,

The best option for you to get access from all your vlans is for you to access your ASA via your inside interface instead of the Management interface.



Hi Terence\oskari,

thanks again for your prompt reply, I think I will use ACLs to block access to the inside interface of ASA.

But only for curiosity an to learn, if I had to do my L3 ASA instead of the switch could handle in this way, the Management?



Hi Marco,

You can use the command below to restrict ASDM access.

http xx.xx.xx.xx LAN

Only if you configure the ASA for NAT, otherwise you would end up in the same situation.


