09-12-2007 08:48 AM - edited 03-11-2019 04:10 AM
I have a unique situation I think and I have been beating my head on the wall for a few hours so I figured I would let you guys chime in.
We are replacing a Pix 515 with an ASA 5520. So far so good the clients are working. However I cannot get management traffic to flow correctly.
The client has a ton of vlans including Vlan 200 they use for management. Therefore my ASA and SSM management ports ore in the 10.1.200.x range. I currently can manage the unit from a workstation in the 200 range but thats where things quit working. They have for other admin stations that require access to the ASA. They are 10.1.102.100 ,10.1.102.208 and 10.1.190.100. I have allowed all of these ranges however I cannot connect to them. In troubleshooting I have narrowed this down to a routing issue.
The client has an odd WAN/PIX config.
OUTSIDE = Public Address
INSIDE = Private Network to ISA Server (The ISA is the real firewall for clients)
DMZ1 = Bypass network for Corperate entities coming from the outside to access the network to bypass the ISA to access company resources.
Their routes look like this:
OUTSIDE 0.0.0.0/ x.x.x.x (nexthop public address for router1)
OUTSIDE x.x.0.0/16 (public address) x.x.x.x (nexthop public address for router2)
DMZ1 10.1.0.0 255.255.0.0 10.1.195.1 (Gateway for vlan195 on core network)
It is the DMZ1 route that is screwing me. When any address space other than 10.1.200.0 tries to connect to manage the ASA I get bad route errors from the ASA. When you look them up they state that the ASA does not support asymetric routes. I understand all of this but it has left me at a loss for what I should do to get managment working for this client. I have enabled management on the INSIDE interface and allowed the PAT address for the ISA server to admin the ASA but so far that appears to only half work. Some workstations can get to ASDM but crash at 50% load and are unable to SSH or telnet to the system. My workstation cannot get the ASDM or SSH or Telnet at all through the inside interface.
Any help would be appreciated.
Solved! Go to Solution.
09-12-2007 12:05 PM
Forget about management interface
Shutdown it
Now,
What is the right interface to reach this networks?
Just change the following rules according their location (inside, outside, dmz)
http 10.1.190.0 255.255.255.0 management
http 10.1.190.100 255.255.255.255 management
http 10.1.102.100 255.255.255.255 management
http 10.1.102.208 255.255.255.255 management
http 10.1.200.0 255.255.255.0 management
09-12-2007 09:16 AM
Hi Josh, I don't think you have a routing issue, can you ping from the ASA hosts on the inside and DMZ1 and Vise versa ?
if you want to manage the ASA from any subnet configure ASA management for telnet and/or http to allow any subnet from the inside and or DMZ1..
e.g
telnet 0.0.0.0 0.0.0.0 inside
telnet 0.0.0.0 0.0.0.0 DMZ1
http 0.0.0.0 0.0.0.0 inside
http 0.0.0.0 0.0.0.0 DMZ1
As far as SSH to manage ASA from outside have you configure ASA for SSH ?
[edit] can you post config as well, strip out public IP info.
HTH
Jorge
09-12-2007 09:45 AM
Thanks Jorge,
I posted the config. Yes I can ping from ASA to HOST and from HOST to ASA.
I would prefer not to have all but my outside interfaces setup for managment. I would clearly like to just stick with Managment. However Inside would be acceptable. For whatever reason though using ASDM through the ISA does not appear to work even with all IP traffic allowed through the ISA.
Thanks for your help.
09-12-2007 09:21 AM
Which interface is nearest to yours admin workstation?
09-12-2007 09:38 AM
09-12-2007 09:53 AM
http 10.1.190.0 255.255.255.0 management
http 10.1.190.100 255.255.255.255 management
http 10.1.102.100 255.255.255.255 management
http 10.1.102.208 255.255.255.255 management
http 10.1.200.0 255.255.255.0 management
you must have routes for 10.1.190.0/24, 10.1.102.100/32, 10.1.102.208/32, 10.1.200.0/24 through management interface
09-12-2007 10:39 AM
Thanks for the reply. That was the first config I tried. For every host I created a route to through the management interface it broke required service on the network for those hosts. It fixes my ASDM issue but hoses everything else.
09-12-2007 10:27 AM
Hi Josh, quick question, for SSH have you follow the SSH requirements process such as generating RSA keys etc..
also , I do not see routes on the asa for 10.1.190.x, 102 or 200 networks.
Let me take a look carefully the config.
09-12-2007 10:41 AM
I have generated my RSA keys. However something odd is going on there to. In the interm for fixing that I have just enabled telnet till I can get these bugs iron'd out.
The route for the 10.1 networks is shown in DMZ1 as
DMZ 10.1.0.0 255.255.0.0 10.1.195.1
I'm thinking that the answer is as our friendly CCIE stated that I must have the routes in my management interface. IF so I'm not sure what to try next.
Again thanks for you help.
09-12-2007 10:52 AM
Yes, that is correct , also as Aleksey stated it.. specify routes for 10.1.190.x 102.x and 200.x networks through management0/0 interface and you should be all set.
Jorge
09-12-2007 10:57 AM
Again I cannot set the routes to the management interface. It breaks my communications with corperate resources that live on the outside of the OUTSIDE interface. Thats the whole problem.
09-12-2007 12:05 PM
Forget about management interface
Shutdown it
Now,
What is the right interface to reach this networks?
Just change the following rules according their location (inside, outside, dmz)
http 10.1.190.0 255.255.255.0 management
http 10.1.190.100 255.255.255.255 management
http 10.1.102.100 255.255.255.255 management
http 10.1.102.208 255.255.255.255 management
http 10.1.200.0 255.255.255.0 management
09-12-2007 10:48 PM
That did it thanks guys! You have been a huge help. I guess I just had to wrap my head around not using a DMZ as a DMZ :) Anyway I"m going to keep the TAC case open so they can help me decide if the current routing scheme will be an issue with VPN. Again thanks for your help.
10-03-2007 10:41 AM
I was told by the TAC that I could not have a network that would need to pass through the ASA able to use the management network! In my opinion this makes the mangement network worthless. I did not want to manage through the inside interface but was told by TAC that was the only choice. They need a seperate routing table for the mangement interface, but I do not expect to see that happen.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide