cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
518
Views
0
Helpful
3
Replies

management of ASA5520 from ITsupport subnet

Currently have an ASA5520, management port is set to management only connected to a management vlan, inside, outside and dmz ports also in use for respective traffic, all is working well, the issue i have is that the ITsupport staff on there user vlan have to have access to manage the ASA with ASDM at all times, this all works fine as i have added a route for management to there subnet, problem is that from this vlan they can no longer ping the remote sites which connect via site to site vpn. For troubleshooting and management purposes this is required, is there any way around this?, if we make the management port not management-only how will this effect other traffic or routing?

Mike

1 Accepted Solution

Accepted Solutions

Thats right and all the traffic from IT support subnet flows through that and in order for them to go to internet,  you need to create a NAT as follows

nat ( management)1

global (outside) 1 interface..

harish,

View solution in original post

3 Replies 3

Hello Michael,

That is one solution to make the management interface to forward th data traffic and traffic from IT support team always flow through that since the reverse route to their network is configured via management

Other possible solution really depend on what you have behind ASA. for example if you IT staff VLAN is terminating in core switch, than you can go for a policy based nat on core switch in such a way thatm, if the IT Supprt vlan accessing ASA management, NAT the source into IP ASA Management VLAN SVI on core switch...

So whenever your IT support accessing ASA management, it gets natted and go to ASA. Then you can remove the static route added in ASA and configure that through inside interface.

let me know if you are not clear

Harish.

Thank you Harish, I doubt the core switch we are using is capable of an acl for NAT, if using the not management only option on the management port does this mean that all of the itsupport traffic outgoing to the internet or other sites will be via the management port?

Thats right and all the traffic from IT support subnet flows through that and in order for them to go to internet,  you need to create a NAT as follows

nat ( management)1

global (outside) 1 interface..

harish,

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: