cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
593
Views
0
Helpful
2
Replies

Question about defining management interface

nygenxny123
Level 1
Level 1

As you know the ASA has a port explicitly defined as the managment interface

you aslo must explicltly define ssh/telnet/http access using the ssh xxxx.xxx.xxxx.xxxx "interface"

My question is..what is the purpose of the "management-access (interface)" configuration statement?

once you allow ssh/http/ etc on any interface isnt that now a "managment" interface?

and for best practice should you only allow this on the ip of the managment interface?

so why would you need a management-access configuration statement?

2 Replies 2

Collin Clark
VIP Alumni
VIP Alumni

Defining a specific interface for management prevents that interface from passing traffic between security zones. As you noted you can configure SSH on multiple interfaces, but that does not necessarily make it a management interface (I agree it may not make much sense). management-accessis handy for managing a device over a VPN. It's an in-band management feature, whereas a management interface is out-of-band.

Hope it makes sense.

shzaman
Level 1
Level 1

Hi,

Adding some information

Normally a device can only connect to interface at which it is placed, like a system sitting on outside will be able to access(ssh/ping) outside interface IP only (not inside), management-access command will allow you to connect to inside interface while physically on outside and you are connected through VPN. For example, if you enter the adaptive security appliance from the outside interface, this command lets you telnet/ping etc. the inside interface when entering from the outside interface (connected to VPN) but source IP should be allowed to access the interface. In this case you will have to use 'management-access inside' in global configuration.

Detail about this can be seen on following two links

Check section 'pinging another interface' on link: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#topic2

Command reference: http://www.cisco.com/en/US/docs/security/asa/asa83/command/reference/m.html#wp2112283

There is another command 'management-only' which is for making an interface management only (no traffic across security zones), and you can use 'no management-only' for using dedicated management port as normal port.

Link: http://www.cisco.com/en/US/docs/security/asa/asa83/command/reference/m.html#wp2112407

-Shahid

Review Cisco Networking for a $25 gift card