Are you aware that ASA 9.5

cstpierre4 · ‎12-15-2015

Hello,

I have a question on routes on a cisco asa. I setup a firewall for internet for IT users. The firewall has a management interface that we use to manage it from specific jump servers.

The issue is that the IT Users need to access the mgmt(jump) servers.. But, they need to go through the firewall to the outside interface and then access the mgmt servers. But, the routes on the cisco asa are sending the traffic for the mgmt servers out the management interface to the mgmt servers causing asymmetric routing. The routes are needed for when you are on a mgmt server for the return traffic. Any way to get around this?

Is it bad mojo to use the outside(public ip space) to manage a cisco asa?

outside
I
I
Firewall <--- mgmt servers
I
I
IT Users

Marvin Rhoads · ‎12-15-2015

If you're diligent about watching the Security Advisories and keeping your ASA reasonably secured, management from outside can be done safely.

As far as the asymmetric routing, this has been a challenge for many an ASA admin. Are you aware that ASA 9.5 finally introduced a separate routing table (like a VRF) for the management interface to use? That may help you.

I have also seen implementations that dual home the management servers.Put their default route on the non-restricted subnet.

cstpierre4 · ‎12-16-2015

Ah thank you for the response.

Interesting about the 9.5 update. Thanks

I think I will look into the outside interface and investigate the 9.5 code upgrade.

Im running Version 8.6(1)2 and its a ASA5525. What version is recommended for this model?

Thanks.

Jon Marshall · ‎12-16-2015

Are you aware that ASA 9.5 finally introduced a separate routing table (like a VRF) for the management interface to use?

Well it's about time :)

Thanks for the info.

Jon

routes on cisco asa