cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
389
Views
0
Helpful
5
Replies

Firewalling: Management port M0/0 on ASA 5520 - Interesting issue

anandramapathy
Level 3
Level 3

Hi,

I have a big network comprising of 10.0.0.0

my inside interface ip is 10.100.1.1 /24

my management interface ip is 10.150.1.1 /24

The default inside route in my ASA is

route INSIDE 10.0.0.0 255.0.0.0 10.100.1.1

From my user network - 10.200.1.X, i try to access the management interface, it does not connect ...

So i put a static route on the ASA

route MGMT 10.200.1.0 255.255.255.0 10.150.1.1

Then it works i am able to connect to ASDM & SSH

Question -

Is all return path for the network 10.200.1.X ( including internet return traffic ) coming via the management interface ?

If yes .. what is the solution to this ?

5 Replies 5

srue
Level 7
Level 7

why do you list the ASA inside IP as the default inside route?

route INSIDE 10.0.0.0 255.0.0.0 *10.100.1.1*

It should be pointed to something else internally. The MGMT interface just needs to plug into a switchport set up for the proper vlan - and treat it as a host port.

Any host on your user network (10.200.1.x) should be able to get to 10.150.1.1 without going through the inside interface of the ASA.

ie, there should be something doing internal routing for you, whether it's a router or multilayer switch, or something.

you could optionally turn on routing on the inside interface of the asa as well, assuming you were running an internal routing protocol also.

Sorry i gave you the wrong info

My L3 Device ( Default gateway for my internal LAN ) - is 10.100.1.10

10.200.1.10 is the L3 device IP for the management network.

The default inside route in my ASA is

route INSIDE 10.0.0.0 255.0.0.0 10.100.1.10

The route i put for management is

route MGMT 10.200.1.0 255.255.255.0 10.150.1.10

If the above route is not present -

when a user from the user network, 10.150.1.1 tries to reach the management port, the packet goes to the layer 3 switch, then to the Management Interface & then the return path comes back via the Internal interface due the the default static Route

route INSIDE 10.0.0.0 255.0.0.0 10.100.1.10

If i put the route

route MGMT 10.200.1.0 255.255.255.0 10.150.1.10

then the return traffic from the ASA comes back via the MGMT interface

The issue for me is i need to reach the management interface without putting any static route through the management interface because all inside routes are via the INSIDE interface

Hello All,

Can anyone help me with this ?

Under your management interface, does it say management-only?

yes

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: