cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
748
Views
0
Helpful
13
Replies

Routing and managment issues on ASA

cratejockey
Level 1
Level 1

I have a unique situation I think and I have been beating my head on the wall for a few hours so I figured I would let you guys chime in.

We are replacing a Pix 515 with an ASA 5520. So far so good the clients are working. However I cannot get management traffic to flow correctly.

The client has a ton of vlans including Vlan 200 they use for management. Therefore my ASA and SSM management ports ore in the 10.1.200.x range. I currently can manage the unit from a workstation in the 200 range but thats where things quit working. They have for other admin stations that require access to the ASA. They are 10.1.102.100 ,10.1.102.208 and 10.1.190.100. I have allowed all of these ranges however I cannot connect to them. In troubleshooting I have narrowed this down to a routing issue.

The client has an odd WAN/PIX config.

OUTSIDE = Public Address

INSIDE = Private Network to ISA Server (The ISA is the real firewall for clients)

DMZ1 = Bypass network for Corperate entities coming from the outside to access the network to bypass the ISA to access company resources.

Their routes look like this:

OUTSIDE 0.0.0.0/ x.x.x.x (nexthop public address for router1)

OUTSIDE x.x.0.0/16 (public address) x.x.x.x (nexthop public address for router2)

DMZ1 10.1.0.0 255.255.0.0 10.1.195.1 (Gateway for vlan195 on core network)

It is the DMZ1 route that is screwing me. When any address space other than 10.1.200.0 tries to connect to manage the ASA I get bad route errors from the ASA. When you look them up they state that the ASA does not support asymetric routes. I understand all of this but it has left me at a loss for what I should do to get managment working for this client. I have enabled management on the INSIDE interface and allowed the PAT address for the ISA server to admin the ASA but so far that appears to only half work. Some workstations can get to ASDM but crash at 50% load and are unable to SSH or telnet to the system. My workstation cannot get the ASDM or SSH or Telnet at all through the inside interface.

Any help would be appreciated.

1 Accepted Solution

Accepted Solutions

Forget about management interface

Shutdown it

Now,

What is the right interface to reach this networks?

Just change the following rules according their location (inside, outside, dmz)

http 10.1.190.0 255.255.255.0 management

http 10.1.190.100 255.255.255.255 management

http 10.1.102.100 255.255.255.255 management

http 10.1.102.208 255.255.255.255 management

http 10.1.200.0 255.255.255.0 management

View solution in original post

13 Replies 13

JORGE RODRIGUEZ
Level 10
Level 10

Hi Josh, I don't think you have a routing issue, can you ping from the ASA hosts on the inside and DMZ1 and Vise versa ?

if you want to manage the ASA from any subnet configure ASA management for telnet and/or http to allow any subnet from the inside and or DMZ1..

e.g

telnet 0.0.0.0 0.0.0.0 inside

telnet 0.0.0.0 0.0.0.0 DMZ1

http 0.0.0.0 0.0.0.0 inside

http 0.0.0.0 0.0.0.0 DMZ1

As far as SSH to manage ASA from outside have you configure ASA for SSH ?

[edit] can you post config as well, strip out public IP info.

HTH

Jorge

Jorge Rodriguez

Thanks Jorge,

I posted the config. Yes I can ping from ASA to HOST and from HOST to ASA.

I would prefer not to have all but my outside interfaces setup for managment. I would clearly like to just stick with Managment. However Inside would be acceptable. For whatever reason though using ASDM through the ISA does not appear to work even with all IP traffic allowed through the ISA.

Thanks for your help.

a.alekseev
Level 7
Level 7

Which interface is nearest to yours admin workstation?

Not really sure what you are asking. As for it not being a routing issue I would love for it not to be. I'll post the clean config and give you guys a few min to review.

Thanks for your help so far.

http 10.1.190.0 255.255.255.0 management

http 10.1.190.100 255.255.255.255 management

http 10.1.102.100 255.255.255.255 management

http 10.1.102.208 255.255.255.255 management

http 10.1.200.0 255.255.255.0 management

you must have routes for 10.1.190.0/24, 10.1.102.100/32, 10.1.102.208/32, 10.1.200.0/24 through management interface

Thanks for the reply. That was the first config I tried. For every host I created a route to through the management interface it broke required service on the network for those hosts. It fixes my ASDM issue but hoses everything else.

Hi Josh, quick question, for SSH have you follow the SSH requirements process such as generating RSA keys etc..

also , I do not see routes on the asa for 10.1.190.x, 102 or 200 networks.

Let me take a look carefully the config.

Jorge Rodriguez

I have generated my RSA keys. However something odd is going on there to. In the interm for fixing that I have just enabled telnet till I can get these bugs iron'd out.

The route for the 10.1 networks is shown in DMZ1 as

DMZ 10.1.0.0 255.255.0.0 10.1.195.1

I'm thinking that the answer is as our friendly CCIE stated that I must have the routes in my management interface. IF so I'm not sure what to try next.

Again thanks for you help.

Yes, that is correct , also as Aleksey stated it.. specify routes for 10.1.190.x 102.x and 200.x networks through management0/0 interface and you should be all set.

Jorge

Jorge Rodriguez

Again I cannot set the routes to the management interface. It breaks my communications with corperate resources that live on the outside of the OUTSIDE interface. Thats the whole problem.

Forget about management interface

Shutdown it

Now,

What is the right interface to reach this networks?

Just change the following rules according their location (inside, outside, dmz)

http 10.1.190.0 255.255.255.0 management

http 10.1.190.100 255.255.255.255 management

http 10.1.102.100 255.255.255.255 management

http 10.1.102.208 255.255.255.255 management

http 10.1.200.0 255.255.255.0 management

That did it thanks guys! You have been a huge help. I guess I just had to wrap my head around not using a DMZ as a DMZ :) Anyway I"m going to keep the TAC case open so they can help me decide if the current routing scheme will be an issue with VPN. Again thanks for your help.

I was told by the TAC that I could not have a network that would need to pass through the ASA able to use the management network! In my opinion this makes the mangement network worthless. I did not want to manage through the inside interface but was told by TAC that was the only choice. They need a seperate routing table for the mangement interface, but I do not expect to see that happen.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: