01-27-2011 07:37 AM - edited 03-11-2019 12:40 PM
As you know the ASA has a port explicitly defined as the managment interface
you aslo must explicltly define ssh/telnet/http access using the ssh xxxx.xxx.xxxx.xxxx "interface"
My question is..what is the purpose of the "management-access (interface)" configuration statement?
once you allow ssh/http/ etc on any interface isnt that now a "managment" interface?
and for best practice should you only allow this on the ip of the managment interface?
so why would you need a management-access configuration statement?
01-27-2011 07:43 AM
Defining a specific interface for management prevents that interface from passing traffic between security zones. As you noted you can configure SSH on multiple interfaces, but that does not necessarily make it a management interface (I agree it may not make much sense). management-accessis handy for managing a device over a VPN. It's an in-band management feature, whereas a management interface is out-of-band.
Hope it makes sense.
01-27-2011 10:16 AM
Hi,
Adding some information
Normally a device can only connect to interface at which it is placed, like a system sitting on outside will be able to access(ssh/ping) outside interface IP only (not inside), management-access command will allow you to connect to inside interface while physically on outside and you are connected through VPN. For example, if you enter the adaptive security appliance from the outside interface, this command lets you telnet/ping etc. the inside interface when entering from the outside interface (connected to VPN) but source IP should be allowed to access the interface. In this case you will have to use 'management-access inside' in global configuration.
Detail about this can be seen on following two links
Check section 'pinging another interface' on link: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a0080094e8a.shtml#topic2
Command reference: http://www.cisco.com/en/US/docs/security/asa/asa83/command/reference/m.html#wp2112283
There is another command 'management-only' which is for making an interface management only (no traffic across security zones), and you can use 'no management-only' for using dedicated management port as normal port.
Link: http://www.cisco.com/en/US/docs/security/asa/asa83/command/reference/m.html#wp2112407
-Shahid
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide