Re: securit level for Asa Management interface ?

cyberops123 · ‎09-09-2020

Hi

I am trying to figure out what would be the best security level for management0/0 interface on my ASA firewall ? Currently I configured it with security level 100 but I am not sure if this is the best security practice so if anyone can help me on this that would be great .

thank you

Ruben Cocheno · ‎09-09-2020

@cyberops123

Yes, 100 for the management interface is the way forward. Also if that interface is to be purely management and not for "transit traffic" i do also recommend the command management-only which fits that purpose.

Tag me to follow up.
Please mark it as Helpful and/or Solution Accepted if that is the case. Thanks for making Engineering easy again.
Connect with me for more on Linkedin https://www.linkedin.com/in/rubencocheno/

balaji.bandi · ‎09-09-2020

we are not sure how your network designed, so in general Cisco's recommendation as best practice - management interface should be out-of-band if that is possible in your environment?

Using Management Interfaces

The management plane of a device is accessed via in-band and out-of-band methods through physical and logical means. Ideally, both in-band and out-of-band management access exists for each network device so that the management plane can be accessed during network outages.

Cisco firewalls define a specific interface as being the Management interface. This designation is defined by configuring the management-only command on the specific interface. By default the physically defined Management interface has this command defined. This interface is used for in-band access to a Cisco firewall. The Management interface can also be used for regular traffic when removing the management-only interface configuration command. It is recommended to use the Management interface of the ASA device exclusively as a management interface. This allows administrators and engineers to apply management traffic-based policies throughout the network. After the Management interface is configured on a Cisco firewall, it can be used by management plane protocols, such as SSH, SNMP, and syslog.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

cyberops123 · ‎09-10-2020

thanks balaji and Ruben

yeah currently we use management interface0/0 with "management only " command dedicated remote access and its configured with security level 100 .and I was doing some research if 100 is the best practice for mngt interface when it comes to hardening the ASA .

Marvin Rhoads · ‎09-11-2020

@balaji.bandi what source are you quoting? There's been a separate management routing table available on ASAs for several years now.

balaji.bandi · ‎09-11-2020

@Marvin Rhoads at this moment i do not have cisco URL in place, this is one of the notes i made for my reference from cisco document, when i was doing some hardening process of network, some time back. let me re-read that statement, yes this may have changed, my document might have been outdated.

Agreed ASA has new - below my document that was missed in this post. ( edited orginal post) - thanks.

As a standard security practice, it is often necessary to segregate and isolate Management traffic from data traffic. To achieve this isolation, the ASA uses a separate routing table for management-only traffic vs. data traffic. Separate routing tables means that you can create separate default routes for data and management as well.

Management table from-the-device traffic includes features that open a remote file using HTTP, SCP, TFTP, the copy command, Smart Call Home, trustpoint , trustpool , and so on

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help