cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
309
Views
0
Helpful
3
Replies

management of ASA5520 from ITsupport subnet

Currently have an ASA5520, management port is set to management only connected to a management vlan, inside, outside and dmz ports also in use for respective traffic, all is working well, the issue i have is that the ITsupport staff on there user vlan have to have access to manage the ASA with ASDM at all times, this all works fine as i have added a route for management to there subnet, problem is that from this vlan they can no longer ping the remote sites which connect via site to site vpn. For troubleshooting and management purposes this is required, is there any way around this?, if we make the management port not management-only how will this effect other traffic or routing?

Mike

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

management of ASA5520 from ITsupport subnet

Thats right and all the traffic from IT support subnet flows through that and in order for them to go to internet,  you need to create a NAT as follows

nat ( management)1

global (outside) 1 interface..

harish,

View solution in original post

3 REPLIES 3
Highlighted

management of ASA5520 from ITsupport subnet

Hello Michael,

That is one solution to make the management interface to forward th data traffic and traffic from IT support team always flow through that since the reverse route to their network is configured via management

Other possible solution really depend on what you have behind ASA. for example if you IT staff VLAN is terminating in core switch, than you can go for a policy based nat on core switch in such a way thatm, if the IT Supprt vlan accessing ASA management, NAT the source into IP ASA Management VLAN SVI on core switch...

So whenever your IT support accessing ASA management, it gets natted and go to ASA. Then you can remove the static route added in ASA and configure that through inside interface.

let me know if you are not clear

Harish.

Highlighted

management of ASA5520 from ITsupport subnet

Thank you Harish, I doubt the core switch we are using is capable of an acl for NAT, if using the not management only option on the management port does this mean that all of the itsupport traffic outgoing to the internet or other sites will be via the management port?

Highlighted

management of ASA5520 from ITsupport subnet

Thats right and all the traffic from IT support subnet flows through that and in order for them to go to internet,  you need to create a NAT as follows

nat ( management)1

global (outside) 1 interface..

harish,

View solution in original post