Re: use management interface for my vpn traffic?

venerayan · ‎05-11-2013

hi all,

all my six iintefaces are already assigned to my lacp inside and dmz; and i want to use vpn as 443 port but if i used 443 with my outside, then i can't because i have a website in my internet that service the outside world, there's other solution to it is to change the port to 444 or other port. but i don't want to use other port since 443 is open on all firewall therefore no problem for my vpn users.

can i use management interface m0/0 for my vpn traffic? how do i change my mangement other than 192.168.1.0/24 network and if i disable management on that interface, i will not be able to use ASDM any more?

thanks for any comment you may add.

Jouni Forss · ‎05-11-2013

Hi,

Are you talking about a new ASA5500-X series device?

If you are then to my understanding in those models its impossible to pass traffic through the management interface. On the original ASA5500 series it was possible just to remove the "management-only" setting with "no management-only" (If I remember the configuration correctly.

To my understanding you can use ASDM from behind any interface on the ASA provided you have enabled it on that interface from the source network/host address.

Seems to me atleast that you wont be able use the management interface in this purpose.

Do you really need all the 6 physical interface in the Port-channel?

- Jouni

venerayan · ‎05-11-2013

yes it was bought only last month... can i use it as a failover instead on a cluster?

Jouni Forss · ‎05-11-2013

Hi,

Seems its not possible

Check this quote from Cisco ASA5500 to ASA5500-X Migration Guide

Management Port Configuration Changes

The ASA 5500-X Series introduced a shared management port for firewall and IPS services.,There are certain caveats to follow during migration from the ASA 5500 Series.

• The shared management port cannot be used as a data port. All through-the-box traffic arriving at the management port will be dropped implicitly. This cannot be disabled.

• The shared management port cannot be used as a part of a high availability configuration.

If the ASA management port (M0/0) on the ASA 5500 Series appliance was being used as a data port, the configuration associated with that port should be moved to one of the gigabit data ports numbered above G0/3.

Source document:

http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5708/ps5709/ps6120/guide_c07-727453.html

- Jouni

venerayan · ‎05-11-2013

how about using two public ip on the interface of outside? what will be the configuration?

say net.abc.com and vpn.abc.com. the net.abc.com will be used for all ports of the company like smtp/25, owa/443 and vpn.abc.com is just for ssl-vpn/443.

Marvin Rhoads · ‎05-11-2013

If you have more than one IP address allocated from your current provider, simply give the web server you wish to allow inbound external access a static NAT to an address other than your interface IP and an access-list entry allowing traffic from outside in on that address and port (80, 443 or whatever you are using). That allows remote access VPN clients to go to your ASA interface IP on 443 for their access.

To use two provider IP address spaces you need to either use separate physical interfaces (which you've said you don't have available) or subinterfaces into different external VLANs with different gateways, access-lists etc. That is very messy and complicated and thus generally not done.