Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1607
Views
4
Helpful
2
Replies

Management VLAN Internet Access through ASA

jmprats
Level 4
Level 4

‎07-16-2013 01:45 AM - edited ‎03-11-2019 07:12 PM

Up this moment I have an ASA management-only interface connected to a Management_VLAN which routed in the LAN's Core Switch Management_VLAN interface,

This core switch routes Internet Access thorugh the ASA_Inside Interface (Default Gateway).

Now I need allow Internet Access to the Management_VLAN (Updates and NTP). I would like to route this traffic with the Core Switch Default Gateway (through ASA_Inside) but ASA don't allow that because Management_VLAN is directely connected to ASA.

How can I solve this and allow internet access in the management vlan?

Thanks

Labels:
0 Helpful
2 Replies 2

Jouni Forss
VIP Alumni
VIP Alumni

‎07-16-2013 02:05 AM

Hi,

In some setups the Management networks routing is completely separated from the native routing table of the L3 switches and routers (using VRFs). This would eliminate any overlap and other problems in routing. You could then use the ASAs Management interface as the default gateway for Management network Internet traffic.

Naturally this is not really an easy option in an existing network.

So I wonder would it be perhaps possible to configure a NAT between the Management Vlan and the Inside Vlan so that connections from the Management address space would be NATed on the L3 switch to an IP address that the ASA has a route towards the Inside? This should to my understanding eliminate any problems related to the ASA routing.

If I understood you correctly your problem is that the ASA will currently see Internet bound traffic coming from the Management network on its Inside interface and these connections fail because the ASA can see the Management network from another directly connected interface?

Hope this helps

- Jouni

jmprats
Level 4
Level 4
In response to Jouni Forss

‎07-16-2013 02:40 AM

Yes, my problem is that if I try to route, in the ASA,  Internet traffic

statically to the management vlan through the inside interface like this:

route inside 192.168.128.0 255.255.255.0 ip_core

ASA warns it can't route 192.168.128.0 through inside because it's direclty conneted to Management_interface.

OK, so I understand I have to options:

1) Route the Management Interface in the ASA (not in the core).

2) NAT management vlan in the Core.

For what I see I can't NAT in this installation (Powerconnect switches doesn't NAT), so I only have option 1 (route this VLAN in the ASA).

I will have to change the ASA Management interface from management_only to "no management_only", Is this a good security practice? Any security concern about this network design to think about?

Thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card