Traditionally what you're

Joshua Maurer · ‎09-20-2016

I am trying to understand how to use the MGMT port correctly on the ASA. I currently have a new 5508 but would like to update all my other firewalls. I have the OUTSIDE address 1.1.1.1 /30 the INSIDE address 172.16.16.5 /24 and MGMT 10.10.30.20/24.

ssh 10.10.30.0 255.255.255.0 MGMT

ssh 10.10.220.0 255.255.255.0 MGMT

route OUTSIDE 0.0.0.0 0.0.0.0 1.1.1.2

route INSIDE10.10.0.0 255.255.0.0 172.16.16.1

route INSIDE 10.20.0.0 255.255.0.0 172.16.16.1

route MGMT 10.10.30.0 255.255.255.0 10.10.30.1

When I remote in from any other network besides the 10.10.30.0/24 network I can not access the MGMT console from SSH. I am assuming that the route wants to send to the INSIDE interface and that is the reason for the non access.

Is there a way around this or can I not configure it this way and it has to be an OUT OF BAND network only interface?

I can configure the INSIDE interface for SSH, I wanted to try to use the MGMT interface for access and system needs.

Marvin Rhoads · ‎09-20-2016

Traditionally what you're seeing has been the case due to there only being a single routing table in an ASA. However in ASA 9.5(2), the following was introduced:

Separate routing table for management-only interfaces

To segregate and isolate management traffic from data traffic, the ASA now supports a separate routing table for management-only interfaces.

We introduced or modified the following commands: backup, clear ipv6 route management-only, clear route management-only, configure http, configure net, copy, enrollment source, name-server, restore, show asp table route-management-only, show ipv6 route management-only show route management-only

We did not modify any screens.

Reference:

http://www.cisco.com/c/en/us/td/docs/security/asa/roadmap/asa_new_features.html

Management Port Access