Currently have an ASA5520, management port is set to management only connected to a management vlan, inside, outside and dmz ports also in use for respective traffic, all is working well, the issue i have is that the ITsupport staff on there user vlan have to have access to manage the ASA with ASDM at all times, this all works fine as i have added a route for management to there subnet, problem is that from this vlan they can no longer ping the remote sites which connect via site to site vpn. For troubleshooting and management purposes this is required, is there any way around this?, if we make the management port not management-only how will this effect other traffic or routing?
Solved! Go to Solution.
That is one solution to make the management interface to forward th data traffic and traffic from IT support team always flow through that since the reverse route to their network is configured via management
Other possible solution really depend on what you have behind ASA. for example if you IT staff VLAN is terminating in core switch, than you can go for a policy based nat on core switch in such a way thatm, if the IT Supprt vlan accessing ASA management, NAT the source into IP ASA Management VLAN SVI on core switch...
So whenever your IT support accessing ASA management, it gets natted and go to ASA. Then you can remove the static route added in ASA and configure that through inside interface.
let me know if you are not clear
Thank you Harish, I doubt the core switch we are using is capable of an acl for NAT, if using the not management only option on the management port does this mean that all of the itsupport traffic outgoing to the internet or other sites will be via the management port?