Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
593
Views
0
Helpful
2
Replies

Question about defining management interface

nygenxny123
Level 1
Level 1

‎01-27-2011 07:37 AM - edited ‎03-11-2019 12:40 PM

As you know the ASA has a port explicitly defined as the managment interface

you aslo must explicltly define ssh/telnet/http access using the ssh xxxx.xxx.xxxx.xxxx "interface"

My question is..what is the purpose of the "management-access (interface)" configuration statement?

once you allow ssh/http/ etc on any interface isnt that now a "managment" interface?

and for best practice should you only allow this on the ip of the managment interface?

so why would you need a management-access configuration statement?

Labels:
0 Helpful
2 Replies 2

Collin Clark
VIP Alumni
VIP Alumni

‎01-27-2011 07:43 AM

Defining a specific interface for management prevents that interface from passing traffic between security zones. As you noted you can configure SSH on multiple interfaces, but that does not necessarily make it a management interface (I agree it may not make much sense). management-accessis handy for managing a device over a VPN. It's an in-band management feature, whereas a management interface is out-of-band.

Hope it makes sense.

0 Helpful

shzaman
Level 1
Level 1

‎01-27-2011 10:16 AM

Hi,

Adding some information

Normally a device can only connect to interface at which it is placed, like a system sitting on outside will be able to access(ssh/ping) outside interface IP only (not inside), management-access command will allow you to connect to inside interface while physically on outside and you are connected through VPN. For example, if you enter the adaptive security appliance from the outside interface, this command lets you telnet/ping etc. the inside interface when entering from the outside interface (connected to VPN) but source IP should be allowed to access the interface. In this case you will have to use 'management-access inside' in global configuration.

Detail about this can be seen on following two links

Check section 'pinging another interface' on link: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#topic2

Command reference: http://www.cisco.com/en/US/docs/security/asa/asa83/command/reference/m.html#wp2112283

There is another command 'management-only' which is for making an interface management only (no traffic across security zones), and you can use 'no management-only' for using dedicated management port as normal port.

Link: http://www.cisco.com/en/US/docs/security/asa/asa83/command/reference/m.html#wp2112407

-Shahid

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card