I have a unique situation I think and I have been beating my head on the wall for a few hours so I figured I would let you guys chime in.
We are replacing a Pix 515 with an ASA 5520. So far so good the clients are working. However I cannot get management traffic to flow correctly.
The client has a ton of vlans including Vlan 200 they use for management. Therefore my ASA and SSM management ports ore in the 10.1.200.x range. I currently can manage the unit from a workstation in the 200 range but thats where things quit working. They have for other admin stations that require access to the ASA. They are 10.1.102.100 ,10.1.102.208 and 10.1.190.100. I have allowed all of these ranges however I cannot connect to them. In troubleshooting I have narrowed this down to a routing issue.
The client has an odd WAN/PIX config.
OUTSIDE = Public Address
INSIDE = Private Network to ISA Server (The ISA is the real firewall for clients)
DMZ1 = Bypass network for Corperate entities coming from the outside to access the network to bypass the ISA to access company resources.
Their routes look like this:
OUTSIDE 0.0.0.0/ x.x.x.x (nexthop public address for router1)
OUTSIDE x.x.0.0/16 (public address) x.x.x.x (nexthop public address for router2)
DMZ1 10.1.0.0 255.255.0.0 10.1.195.1 (Gateway for vlan195 on core network)
It is the DMZ1 route that is screwing me. When any address space other than 10.1.200.0 tries to connect to manage the ASA I get bad route errors from the ASA. When you look them up they state that the ASA does not support asymetric routes. I understand all of this but it has left me at a loss for what I should do to get managment working for this client. I have enabled management on the INSIDE interface and allowed the PAT address for the ISA server to admin the ASA but so far that appears to only half work. Some workstations can get to ASDM but crash at 50% load and are unable to SSH or telnet to the system. My workstation cannot get the ASDM or SSH or Telnet at all through the inside interface.
Any help would be appreciated.
Forget about management interface
What is the right interface to reach this networks?
Just change the following rules according their location (inside, outside, dmz)
http 10.1.190.0 255.255.255.0 management
http 10.1.190.100 255.255.255.255 management
http 10.1.102.100 255.255.255.255 management
http 10.1.102.208 255.255.255.255 management
http 10.1.200.0 255.255.255.0 management