Hi all, i want that all my Vlan defined on Switch can access dedicated Management interface of ASA. I can only access only from VLAN 1 and not from other vlans. (attached is a small scheme) When try, from any vlans, to ping interface Management of ASA(172.16.48.50) i have this error on ASA: "Routing failed to locate next hop for icmp from Management:172.16.48.50/0 to Management:172.16.48.222/0", works instead from Vlan1.
It is as if the ASA is not able to send the return packet.
Debug on switch: package is routed to Asa.
Capture on Asa: only echo request and there isnt packet reply.
On switch Core i have define this vlan:
with default route 172.16.48.131 (ASA).
I attached config of ASA.
What could be wrong?
Let me know please.
Your ASA doesn't know those network exist as their no routes in the ASA routing table.
You will need to add routes for all thos vlans above (see example below).
route management 172.16.48.190 "subnet mask" 172.16.48.129
or you can add:
route management 172.16.48.0 255.255.255.0 172.16.48.129
route management 172.16.49.0 255.255.255.0 172.16.48.129
route management 172.16.50.0 255.255.255.0 172.16.48.129
route management 192.168.0.0 255.255.255.0 172.16.48.129
thanks for reply. In config now there are this routes but on LAN Interface:
route LAN 172.16.48.0 255.255.255.128 172.16.48.129 1
route LAN 172.16.48.160 255.255.255.224 172.16.48.129 1
route LAN 172.16.48.192 255.255.255.224 172.16.48.129 1
route LAN 172.16.49.0 255.255.255.224 172.16.48.129 1
route LAN 172.16.49.32 255.255.255.224 172.16.48.129 1
route LAN 172.16.49.96 255.255.255.224 172.16.48.129 1
route LAN 172.16.49.128 255.255.255.128 172.16.48.129 1
route LAN 172.16.50.0 255.255.255.0 172.16.48.129 1
route LAN 192.168.0.0 255.255.255.0 172.16.48.129 1
than for all network i change only interface with MANAGEMENT?
By doing so all traffic is routed on Managment interface, but i want use Managment Interface only for Management ASDM of ASA, other traffic must rotate on LAN interface. It's possibile?
Thanks in advance.
It's not possible with your setup.
Either you dedicate a VLAN for management and do the routing as Terence said, or you enable ASDM access on the inside interface and you will be able to access it from all the VLANs, unless of course you restrict the ASDM access on the ASA.
i have a vlan of managment (172.16.48.0 255.255.255.128), if i do a "show route" on ASA i see that network in directly connected:
C Rete_FASTWEB 255.255.255.248 is directly connected, OUTSIDE
C 192.168.10.0 255.255.255.0 is directly connected, VOIP
C Rete_INTERNAL 255.255.255.240 is directly connected, LAN
S Rete_PRDIT 255.255.255.128 [1/0] via 172.16.48.129, LAN
S Rete_GuestWiFi 255.255.255.224 [1/0] via 172.16.48.129, LAN
S Rete_TEST 255.255.255.224 [1/0] via 172.16.48.129, LAN
S 172.16.48.225 255.255.255.255 [1/0] via 220.127.116.11, OUTSIDE
C Rete_MNGM 255.255.255.128 is directly connected, Management
S Rete_SMD 255.255.255.224 [1/0] via 172.16.48.129, LAN
S Rete_CLIENT 255.255.255.0 [1/0] via 172.16.48.129, LAN
S Rete_PLC 255.255.255.224 [1/0] via 172.16.48.129, LAN
S Rete_PRDBR 255.255.255.224 [1/0] via 172.16.48.129, LAN
S Rete_SERVER 255.255.255.0 [1/0] via 172.16.48.129, LAN
how can I accomplish this?
If you want to use your management interface there are two things you can do:
1. with the current setup the options are quite limited because you will end up with asymmetric routing which will cause you issues. However you can put your PC in the management vlan (VLAN1 if i'm not wrong) and assign to it an IP from that subnet (172.16.48.0 255.255.255.128) then you can use the management interface to access ASDM. The issue with this approach is that you will go to the internet using the same path trough the management interface, not sure if you want to do that.
2. create a true OOB management network using a dedicated management sw where you connect all your management interfaces from all your devices then connect this switch to your network. For protection you can place a FW between your management network and your production network. If you don't have a fw for that simple ACLs will do the job. What is important is to have a NAT capable L3 device between the management and production network. You need the NAT to fix the asymetric routing issue, so when you connect to the management intarface your PC ip is going to be NAT-ed to an IP from the management network (172.16.48.0 255)
with solution 1 on switch core defined Vlan1 and i can access only from this vlan to subnet 172.16.48.0 255.255.255.128.
The real issue is that as you said using the same path(management and internet) and this is what I want to avoid.
Solution 2 if i undestand it, use a switch and connect management of all devices and connect to my network than use a NAT device for natting.
p.s.I already have all devices on this vlan managment and works fine, only ASA can not handle the management.
A tip you think that route on ASA (route LAN 172.16.48.0 255.255.255.128 172.16.48.129 1) has no reason to exist true?
The best option for you to get access from all your vlans is for you to access your ASA via your inside interface instead of the Management interface.
thanks again for your prompt reply, I think I will use ACLs to block access to the inside interface of ASA.
But only for curiosity an to learn, if I had to do my L3 ASA instead of the switch could handle in this way, the Management?
You can use the command below to restrict ASDM access.
http xx.xx.xx.xx 255.255.255.255 LAN
Only if you configure the ASA for NAT, otherwise you would end up in the same situation.