12-15-2015 06:24 PM - edited 03-12-2019 12:02 AM
Hello,
I have a question on routes on a cisco asa. I setup a firewall for internet for IT users. The firewall has a management interface that we use to manage it from specific jump servers.
The issue is that the IT Users need to access the mgmt(jump) servers.. But, they need to go through the firewall to the outside interface and then access the mgmt servers. But, the routes on the cisco asa are sending the traffic for the mgmt servers out the management interface to the mgmt servers causing asymmetric routing. The routes are needed for when you are on a mgmt server for the return traffic. Any way to get around this?
Is it bad mojo to use the outside(public ip space) to manage a cisco asa?
outside
I
I
Firewall <--- mgmt servers
I
I
IT Users
12-15-2015 07:23 PM
If you're diligent about watching the Security Advisories and keeping your ASA reasonably secured, management from outside can be done safely.
As far as the asymmetric routing, this has been a challenge for many an ASA admin. Are you aware that ASA 9.5 finally introduced a separate routing table (like a VRF) for the management interface to use? That may help you.
I have also seen implementations that dual home the management servers.Put their default route on the non-restricted subnet.
12-16-2015 07:26 AM
Ah thank you for the response.
Interesting about the 9.5 update. Thanks
I think I will look into the outside interface and investigate the 9.5 code upgrade.
Im running Version 8.6(1)2 and its a ASA5525. What version is recommended for this model?
Thanks.
12-16-2015 08:30 AM
Are you aware that ASA 9.5 finally introduced a separate routing table (like a VRF) for the management interface to use?
Well it's about time :)
Thanks for the info.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide