05-27-2015 12:57 PM - edited 03-08-2019 12:13 AM
Hi
I have an ASA connected to my core switch with 2 cables, one from the inside interface and the other for management. The asa has a route to my internal networks via the inside interface. Now I can ping my inside interface from all my internal networks but I can only ping my management interface from a vm or hosts in my management subnet and not from other subnets unless i insert a route on my asa pointing inside via my management link.
Just wondering how can I configure both routes so that all my internal subnets can get to my inside interface and management interface
Thanks
Solved! Go to Solution.
05-28-2015 10:05 AM
The short answer is you can't add the same routes via different interfaces because the ASA does not support VRFs so you cannot put the management interface into it's own VRF and give it a separate set of routes.
This is why a lot of people simply manage the ASA via it's inside interface.
Unless you only manage the ASA from a specific IP subnet that is only used for management you are not going to be able to do this.
Another alternative is to use contexts ie. you could use a separate context for management only and this would allow you to add routes.
Finally if you have L3 switches that support NAT then you could possibly NAT the source IPs based on the destination IP of the management interface and then return traffic would be sent back via the management interface.
So the L3 switch would have an SVI from the same IP subnet as the management interface and you setup NAT so that any source IPs to the management interface were translated to the SVI IP address on the switch.
Then traffic would automatically be sent back via the management interface.
Jon
05-28-2015 10:05 AM
The short answer is you can't add the same routes via different interfaces because the ASA does not support VRFs so you cannot put the management interface into it's own VRF and give it a separate set of routes.
This is why a lot of people simply manage the ASA via it's inside interface.
Unless you only manage the ASA from a specific IP subnet that is only used for management you are not going to be able to do this.
Another alternative is to use contexts ie. you could use a separate context for management only and this would allow you to add routes.
Finally if you have L3 switches that support NAT then you could possibly NAT the source IPs based on the destination IP of the management interface and then return traffic would be sent back via the management interface.
So the L3 switch would have an SVI from the same IP subnet as the management interface and you setup NAT so that any source IPs to the management interface were translated to the SVI IP address on the switch.
Then traffic would automatically be sent back via the management interface.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide