Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1137
Views
0
Helpful
2
Replies

Management Port routing issue on ASA5525x

jpeterson6
Level 2
Level 2

‎01-18-2013 12:36 PM - edited ‎03-11-2019 05:48 PM

Hi,

I've got a client with a Management Port set up for Out-of-Band management. Here's the configuration of the interface and some relevant static routes:

interface Management0/0

description MGT

speed 100

duplex full

nameif Mgt

security-level 100

ip address 10.38.100.20 255.255.255.0 standby 10.38.100.21

management-only

!

route inside 10.0.0.0 255.0.0.0 10.38.103.1

route Mgt 10.48.0.0 255.255.0.0 10.38.100.254

The route through Mgt interface is required as my client accesses the device from a subnet that isn't local to M0/0.

Unfortunately, now any traffic originating from outside and destined to 10.48.0.0/16 is choosing the Mgt interface. I had thought that the 'management-only' keyword prevents this from happening (traffic traversing between interfaces).

There is a broad scope of /16 addresses on the 'inside' so just swapping destinations won't work (the client wants to avoid a routing table with 50+ static entries, understandably)

My temporary solution was to do this:

route inside 10.0.0.0 255.128.0.0 10.38.103.1

route inside 10.128.0.0 255.128.0.0 10.38.103.1

route Mgt 10.0.0.0 255.0.0.0 10.38.100.254

What would be the best setup in this situation?

If 'management-only' doesn't prevent traffic from using the Mgt interface, what is the point of the command?

Labels:
0 Helpful
2 Replies 2

Michal Garcarz
Cisco Employee
Cisco Employee

‎01-19-2013 05:49 AM

Hi

You are absolutely right about "managent-only" command. It does not allow for transit traffic (routing).

I have it in my lab. Tested in both directions:

1. When received traffic from any other interface and destination was thru management-only interface

%ASA-4-418001: Through-the-device packet to/from management-only network is denied: icmp src inside:2.2.2.10 dst outside:3.3.3.3 (type 8, code 0)

2. When received traffic from management-only interface and destination was thru any other interface:

%ASA-4-418001: Through-the-device packet to/from management-only network is denied: icmp src outside:1.1.1.10 dst inside:3.3.3.3 (type 8, code 0)

So - it works as expected. That interface should never route packets.

Are you sure it's working as you described ? DId you capture traffic ? Did you verify that in logs, nat and conn tables ?

If yes you might hit a bug. What version of ASA do you use ?

---

Michal

0 Helpful

jpeterson6
Level 2
Level 2
In response to Michal Garcarz

‎01-29-2013 12:11 PM

Sorry for the late response. I got tied up with some other clients and was quite busy for awhile.

I am getting the denied packets as you specified. The issue is the fact that it's even trying to use the Management Interface to begin with in its routing decisions.

I think it was probably just a misunderstanding on my part. I had thought that the keyword 'management-only' would remove the option to use it as a destination interface for routing decisions.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card