09-09-2020 02:16 PM
Hi
I am trying to figure out what would be the best security level for management0/0 interface on my ASA firewall ? Currently I configured it with security level 100 but I am not sure if this is the best security practice so if anyone can help me on this that would be great .
thank you
09-09-2020 02:37 PM
Yes, 100 for the management interface is the way forward. Also if that interface is to be purely management and not for "transit traffic" i do also recommend the command management-only which fits that purpose.
09-09-2020 03:38 PM - edited 09-11-2020 01:57 AM
we are not sure how your network designed, so in general Cisco's recommendation as best practice - management interface should be out-of-band if that is possible in your environment?
The management plane of a device is accessed via in-band and out-of-band methods through physical and logical means. Ideally, both in-band and out-of-band management access exists for each network device so that the management plane can be accessed during network outages.
Cisco firewalls define a specific interface as being the Management interface. This designation is defined by configuring the management-only command on the specific interface. By default the physically defined Management interface has this command defined. This interface is used for in-band access to a Cisco firewall. The Management interface can also be used for regular traffic when removing the management-only interface configuration command. It is recommended to use the Management interface of the ASA device exclusively as a management interface. This allows administrators and engineers to apply management traffic-based policies throughout the network. After the Management interface is configured on a Cisco firewall, it can be used by management plane protocols, such as SSH, SNMP, and syslog.
09-10-2020 09:42 AM
thanks balaji and Ruben
yeah currently we use management interface0/0 with "management only " command dedicated remote access and its configured with security level 100 .and I was doing some research if 100 is the best practice for mngt interface when it comes to hardening the ASA .
09-11-2020 01:32 AM
@balaji.bandi what source are you quoting? There's been a separate management routing table available on ASAs for several years now.
09-11-2020 01:56 AM
@Marvin Rhoads at this moment i do not have cisco URL in place, this is one of the notes i made for my reference from cisco document, when i was doing some hardening process of network, some time back. let me re-read that statement, yes this may have changed, my document might have been outdated.
Agreed ASA has new - below my document that was missed in this post. ( edited orginal post) - thanks.
As a standard security practice, it is often necessary to segregate and isolate Management traffic from data traffic. To achieve this isolation, the ASA uses a separate routing table for management-only traffic vs. data traffic. Separate routing tables means that you can create separate default routes for data and management as well.
Management table from-the-device traffic includes features that open a remote file using HTTP, SCP, TFTP, the copy command, Smart Call Home, trustpoint , trustpool , and so on
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide