Firewalling: Management port M0/0 on ASA 5520 - Interesting issue

Unanswered Question
Aug 3rd, 2007


I have a big network comprising of

my inside interface ip is /24

my management interface ip is /24

The default inside route in my ASA is

route INSIDE

From my user network - 10.200.1.X, i try to access the management interface, it does not connect ...

So i put a static route on the ASA

route MGMT

Then it works i am able to connect to ASDM & SSH

Question -

Is all return path for the network 10.200.1.X ( including internet return traffic ) coming via the management interface ?

If yes .. what is the solution to this ?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
srue Fri, 08/03/2007 - 11:41

why do you list the ASA inside IP as the default inside route?

route INSIDE **

It should be pointed to something else internally. The MGMT interface just needs to plug into a switchport set up for the proper vlan - and treat it as a host port.

Any host on your user network (10.200.1.x) should be able to get to without going through the inside interface of the ASA.

ie, there should be something doing internal routing for you, whether it's a router or multilayer switch, or something.

you could optionally turn on routing on the inside interface of the asa as well, assuming you were running an internal routing protocol also.

anandramapathy Fri, 08/03/2007 - 20:43

Sorry i gave you the wrong info

My L3 Device ( Default gateway for my internal LAN ) - is is the L3 device IP for the management network.

The default inside route in my ASA is

route INSIDE

The route i put for management is

route MGMT

If the above route is not present -

when a user from the user network, tries to reach the management port, the packet goes to the layer 3 switch, then to the Management Interface & then the return path comes back via the Internal interface due the the default static Route

route INSIDE

If i put the route

route MGMT

then the return traffic from the ASA comes back via the MGMT interface

The issue for me is i need to reach the management interface without putting any static route through the management interface because all inside routes are via the INSIDE interface

srue Mon, 08/06/2007 - 11:23

Under your management interface, does it say management-only?


This Discussion