02-09-2016 09:26 AM - edited 03-12-2019 12:15 AM
I am setting up a new active/standby pair of ASA 5525-X appliances. They are currently running 9.4(2) code. I have a couple of other ASA failover pairs in production but I never bothered setting up the management interface for those.
I thought I'd follow "best practices" and use the management interface this time but it seems the management interface uses the same routing table as the inside and outside firewalling/routing interfaces. I kind of assumed this would be more like the management vrf setup used in switches but it's not even close.
Is it possible to restrict the control-plane traffic to using management0/0 and have "inside" hosts route to some of the same destinations via the "outside" interface? For example, I want the ASA clock to synch to my internal NTP servers via the man0/0 but I need the servers to synch to those same NTP servers via the "outside" interface gi0/0. What sort of routing gynastics are needed, and where might they be documented?
This installation is a little unusual as it i has no Internet connection. It's just being used to segregate sensitive subnets from end-user and less sensitive (but "trusted") subnets. OSPF is used throughout the network.
Solved! Go to Solution.