management iP

cstpierre4 · ‎03-06-2013

Hello,

I am currently migrating a netscreen firewall to a cisco asa 5515 ver. 8.6

The issue is setting up the management connectivity.

basically the management IP of the cisco asa is not advertised. But, we want to route a management IP through the management interface to interface Gi0/2.

so IP of management interface is say - 216.10.100.10.

and the IP of the inside interface is say - 198.1.1.10/24

on our router we have a static route sending 198.1.1.0/24 to next hop of 216.10.100.10 (management interface of cisco asa).

On the Cisco ASA can I send the traffic to the inside interface and manage the firewall via ssh that way?

I hope this makes sense.

Any help would be appriciated.

Thanks!!

jocamare · ‎03-06-2013

Basically you want to use one interface to pass traffic and also to manage the ASA via SSH.

Yes, you can do that.

Commands in case you need'em:

crypto key generate rsa modulus 1024 noconfirm

ssh 0 0 inside

aaa authentication ssh console LOCAL

cstpierre4 · ‎03-07-2013

Cool thanks!

Im just having an issue with an ACL. Im not that versed with the cisco asa's. I generally support netscreen firewalls.

so basically my management traffic is supposed to come into the management interface and be routed to the inside interface as the IP of the inside interface is what we have DNS configured for our firewalls hostname.

but im seeing this -

TCP access denied by ACL from ipaddress/50816 to inside:ipaddress/22

I created an acl but its not working. what would be the acl to allow this?

thanks

Julio Carvajal · ‎03-07-2013

Hello,

You are comming into the managment interface and that my friend means that only managment traffic from the same subnet will be allowed,

No routed traffic going to another interface or from another subnet than the Managment IP address will be allowed, on other hardware plataffoms than the ASA 5500 X series you could remove that function by taking the managment-only command but this on your hardware device is not allowed.

That being said you will need to use a different interface, no matter if you create an ACL traffic will still get denied

Regards,

Julio Carvajal

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

James Leinweber · ‎03-08-2013

In my case, if I want to manage a remote firewall by ssh I connect to its outside interface, not its inside. That works fine, as long as I have an ssh statement allowing the network I'm coming from. E.g.

ssh network1 netmask1 outside

ssh network2 netmask2 outside

The ACL's for transit traffic mentioned in access-group statements don't come into this; we are terminating the ssh connection at the firewall interface itself. jocamare's crypto key generate ...and aaa authentication ssh ... are critical; you have to do those too.

For those of us still feeling some 55**-X confusion, what's the role of management-access in this sort of situation?

When I upgrade from 5520's to 5525-X's Real Soon Now I'm apparently going to have to use the management interface to manage IPS stuff. In my topology the firewall is routing all the local vlans, so remote access to a firewall cannot be via a host on the management vlan itself; there can't be any because the management vlan can't pass remote traffic to them. That is, the toplogy would look like:

(managment PC) -- [firewall 1] --IPSEC tunnel-- [firewall 2]

The goal is to manage IPS on firewall2 from the far side of the IPSEC tunnel. I haven't had a chance to play with this scenario in a test lab yet, and am a complete IPS neophyte. The combination of the warning against static nat and VPN with management-access is a bit scary. I'd prefer not to have to put a dual-NIC host on two vlan's just to be able to come back into the management-only 5525-x interface on firewall2.

-- Jim Leinweber, WI State Lab of Hygiene