Routing and managment issues on ASA

Answered Question
Sep 12th, 2007

I have a unique situation I think and I have been beating my head on the wall for a few hours so I figured I would let you guys chime in.


We are replacing a Pix 515 with an ASA 5520. So far so good the clients are working. However I cannot get management traffic to flow correctly.


The client has a ton of vlans including Vlan 200 they use for management. Therefore my ASA and SSM management ports ore in the 10.1.200.x range. I currently can manage the unit from a workstation in the 200 range but thats where things quit working. They have for other admin stations that require access to the ASA. They are 10.1.102.100 ,10.1.102.208 and 10.1.190.100. I have allowed all of these ranges however I cannot connect to them. In troubleshooting I have narrowed this down to a routing issue.


The client has an odd WAN/PIX config.


OUTSIDE = Public Address

INSIDE = Private Network to ISA Server (The ISA is the real firewall for clients)

DMZ1 = Bypass network for Corperate entities coming from the outside to access the network to bypass the ISA to access company resources.


Their routes look like this:


OUTSIDE 0.0.0.0/ x.x.x.x (nexthop public address for router1)

OUTSIDE x.x.0.0/16 (public address) x.x.x.x (nexthop public address for router2)

DMZ1 10.1.0.0 255.255.0.0 10.1.195.1 (Gateway for vlan195 on core network)


It is the DMZ1 route that is screwing me. When any address space other than 10.1.200.0 tries to connect to manage the ASA I get bad route errors from the ASA. When you look them up they state that the ASA does not support asymetric routes. I understand all of this but it has left me at a loss for what I should do to get managment working for this client. I have enabled management on the INSIDE interface and allowed the PAT address for the ISA server to admin the ASA but so far that appears to only half work. Some workstations can get to ASDM but crash at 50% load and are unable to SSH or telnet to the system. My workstation cannot get the ASDM or SSH or Telnet at all through the inside interface.


Any help would be appreciated.

Correct Answer by a.alekseev about 9 years 5 months ago

Forget about management interface

Shutdown it


Now,

What is the right interface to reach this networks?


Just change the following rules according their location (inside, outside, dmz)

http 10.1.190.0 255.255.255.0 management

http 10.1.190.100 255.255.255.255 management

http 10.1.102.100 255.255.255.255 management

http 10.1.102.208 255.255.255.255 management

http 10.1.200.0 255.255.255.0 management


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
JORGE RODRIGUEZ Wed, 09/12/2007 - 09:16

Hi Josh, I don't think you have a routing issue, can you ping from the ASA hosts on the inside and DMZ1 and Vise versa ?


if you want to manage the ASA from any subnet configure ASA management for telnet and/or http to allow any subnet from the inside and or DMZ1..


e.g


telnet 0.0.0.0 0.0.0.0 inside

telnet 0.0.0.0 0.0.0.0 DMZ1


http 0.0.0.0 0.0.0.0 inside

http 0.0.0.0 0.0.0.0 DMZ1




As far as SSH to manage ASA from outside have you configure ASA for SSH ?


[edit] can you post config as well, strip out public IP info.


HTH

Jorge




cratejockey Wed, 09/12/2007 - 09:45

Thanks Jorge,


I posted the config. Yes I can ping from ASA to HOST and from HOST to ASA.


I would prefer not to have all but my outside interfaces setup for managment. I would clearly like to just stick with Managment. However Inside would be acceptable. For whatever reason though using ASDM through the ISA does not appear to work even with all IP traffic allowed through the ISA.


Thanks for your help.

cratejockey Wed, 09/12/2007 - 09:38

Not really sure what you are asking. As for it not being a routing issue I would love for it not to be. I'll post the clean config and give you guys a few min to review.


Thanks for your help so far.



a.alekseev Wed, 09/12/2007 - 09:53

http 10.1.190.0 255.255.255.0 management

http 10.1.190.100 255.255.255.255 management

http 10.1.102.100 255.255.255.255 management

http 10.1.102.208 255.255.255.255 management

http 10.1.200.0 255.255.255.0 management


you must have routes for 10.1.190.0/24, 10.1.102.100/32, 10.1.102.208/32, 10.1.200.0/24 through management interface

cratejockey Wed, 09/12/2007 - 10:39

Thanks for the reply. That was the first config I tried. For every host I created a route to through the management interface it broke required service on the network for those hosts. It fixes my ASDM issue but hoses everything else.

JORGE RODRIGUEZ Wed, 09/12/2007 - 10:27

Hi Josh, quick question, for SSH have you follow the SSH requirements process such as generating RSA keys etc..


also , I do not see routes on the asa for 10.1.190.x, 102 or 200 networks.


Let me take a look carefully the config.


cratejockey Wed, 09/12/2007 - 10:41

I have generated my RSA keys. However something odd is going on there to. In the interm for fixing that I have just enabled telnet till I can get these bugs iron'd out.


The route for the 10.1 networks is shown in DMZ1 as

DMZ 10.1.0.0 255.255.0.0 10.1.195.1


I'm thinking that the answer is as our friendly CCIE stated that I must have the routes in my management interface. IF so I'm not sure what to try next.


Again thanks for you help.

JORGE RODRIGUEZ Wed, 09/12/2007 - 10:52

Yes, that is correct , also as Aleksey stated it.. specify routes for 10.1.190.x 102.x and 200.x networks through management0/0 interface and you should be all set.



Jorge

cratejockey Wed, 09/12/2007 - 10:57

Again I cannot set the routes to the management interface. It breaks my communications with corperate resources that live on the outside of the OUTSIDE interface. Thats the whole problem.

Correct Answer
a.alekseev Wed, 09/12/2007 - 12:05

Forget about management interface

Shutdown it


Now,

What is the right interface to reach this networks?


Just change the following rules according their location (inside, outside, dmz)

http 10.1.190.0 255.255.255.0 management

http 10.1.190.100 255.255.255.255 management

http 10.1.102.100 255.255.255.255 management

http 10.1.102.208 255.255.255.255 management

http 10.1.200.0 255.255.255.0 management


cratejockey Wed, 09/12/2007 - 22:48

That did it thanks guys! You have been a huge help. I guess I just had to wrap my head around not using a DMZ as a DMZ :) Anyway I"m going to keep the TAC case open so they can help me decide if the current routing scheme will be an issue with VPN. Again thanks for your help.

mweske Wed, 10/03/2007 - 10:41

I was told by the TAC that I could not have a network that would need to pass through the ASA able to use the management network! In my opinion this makes the mangement network worthless. I did not want to manage through the inside interface but was told by TAC that was the only choice. They need a seperate routing table for the mangement interface, but I do not expect to see that happen.

Actions

This Discussion