Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
414
Views
0
Helpful
3
Replies

Traffic Flow from ASA to Server

Go to solution
mahesh18
Level 6
Level 6

‎04-30-2014 09:12 AM - edited ‎03-11-2019 09:08 PM

 

Hi Everyone,

 

I need to add ASA to CSM Server.

ASA need to talk on port 443 with CSM server.

Here is setup

ASA1---------lan network--------ASA2---------Interface Z  is connected to CSM server.

 

CSM server IP is 172.17.10.220.

ASA1 has two interfaces say x and y.

x has IP 172.17.100.7

y has IP 172.17.101.7

sh ip route on ASA1 shows

 

route x 0.0.0.0 0.0.0.0 172.17.100.254

route y 172.17.10.0 255.255.255.0  172.17.101.1

 

Need to know if i do below config on ASA1

http 172.17.10.220 255.255.255.255  which interface i should put there X  or Y?

 

Regards

Mahesh

 

 

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎04-30-2014 10:40 AM

Mahesh,

As long as the interface is reachable from the CSM server, either should work. Normally we have a higher security level (e.g., Inside) or management interface which we restrict and direct all management activity (CSM, ssh, snmp etc.) to use. That avoids unnecessary exposure of control plane services on untrusted networks.

Your routing path is independent of which interface allows the access. If interface y is the inside or highest security level then you could reach x via going "through" the ASA. If "x" is inside then your would need an access-list applied to "y" to allow the initiation of the connection from CSM.

View solution in original post

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to mahesh18

‎04-30-2014 11:57 AM

That's correct.

You are talking to interface x (with a lower security level than you enter on so no need for an access-list to allow it) and your traffic is entering into (and returning from) the firewall via interface y.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame

‎04-30-2014 10:40 AM

Mahesh,

As long as the interface is reachable from the CSM server, either should work. Normally we have a higher security level (e.g., Inside) or management interface which we restrict and direct all management activity (CSM, ssh, snmp etc.) to use. That avoids unnecessary exposure of control plane services on untrusted networks.

Your routing path is independent of which interface allows the access. If interface y is the inside or highest security level then you could reach x via going "through" the ASA. If "x" is inside then your would need an access-list applied to "y" to allow the initiation of the connection from CSM.

0 Helpful

Go to solution
mahesh18
Level 6
Level 6
In response to Marvin Rhoads

‎04-30-2014 11:36 AM

 

Hi Marvin,

 

Below is setup here

ASA1 interface x has security level of 50

interface y has security level  of 70

Routing on ASA1

 

route x 0.0.0.0 0.0.0.0 172.17.100.254

route y 172.17.10.0 255.255.255.0 172.17.101.1

 

I have added the CSM to ASA as per below config

ASA1

http 172.17.10.220 255.255.255.255 x

With this config above ASA1 ia added to CSM successfully.

 

Thing i need to understand now is when CSM talks to ASA1 over interface X then

from Routing configured  on ASA1 as below

 

route x 0.0.0.0 0.0.0.0 172.17.100.254

route y 172.17.10.0 255.255.255.0 172.17.101.1

 which route it uses as next hop??

My understanding is that it should use route y 172.17.10.0 255.255.255.0 172.17.101

as it has more precise router????

 

Regards

 

Mahesh

 

 

 

0 Helpful

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to mahesh18

‎04-30-2014 11:57 AM

That's correct.

You are talking to interface x (with a lower security level than you enter on so no need for an access-list to allow it) and your traffic is entering into (and returning from) the firewall via interface y.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card