Up this moment I have an ASA management-only interface connected to a Management_VLAN which routed in the LAN's Core Switch Management_VLAN interface,
This core switch routes Internet Access thorugh the ASA_Inside Interface (Default Gateway).
Now I need allow Internet Access to the Management_VLAN (Updates and NTP). I would like to route this traffic with the Core Switch Default Gateway (through ASA_Inside) but ASA don't allow that because Management_VLAN is directely connected to ASA.
How can I solve this and allow internet access in the management vlan?
In some setups the Management networks routing is completely separated from the native routing table of the L3 switches and routers (using VRFs). This would eliminate any overlap and other problems in routing. You could then use the ASAs Management interface as the default gateway for Management network Internet traffic.
Naturally this is not really an easy option in an existing network.
So I wonder would it be perhaps possible to configure a NAT between the Management Vlan and the Inside Vlan so that connections from the Management address space would be NATed on the L3 switch to an IP address that the ASA has a route towards the Inside? This should to my understanding eliminate any problems related to the ASA routing.
If I understood you correctly your problem is that the ASA will currently see Internet bound traffic coming from the Management network on its Inside interface and these connections fail because the ASA can see the Management network from another directly connected interface?
Hope this helps
Yes, my problem is that if I try to route, in the ASA, Internet traffic
statically to the management vlan through the inside interface like this:
route inside 192.168.128.0 255.255.255.0 ip_core
ASA warns it can't route 192.168.128.0 through inside because it's direclty conneted to Management_interface.
OK, so I understand I have to options:
1) Route the Management Interface in the ASA (not in the core).
2) NAT management vlan in the Core.
For what I see I can't NAT in this installation (Powerconnect switches doesn't NAT), so I only have option 1 (route this VLAN in the ASA).
I will have to change the ASA Management interface from management_only to "no management_only", Is this a good security practice? Any security concern about this network design to think about?