Access the Mangement Interface/Network through the ASA firewall

Unanswered Question

I have a quick question that I'm having trouble getting to work. I have a 3 pairs of ASA and have setup a network for the all their management interface. This network only reside within the Firewalls and I want anyone that access that network to manage those firewalls to go throught the firewall. So I was wondering if its possiable to allow connection originating from the inside to allow the connections to the mgt. interface? Having a little trouble getting this to work. (Mangement interfaces off in their own DMZ and can only access the mgt. network through FW. Inside has secutiry level of 100 and the mgt. network has security level 100 and I/m allowing traffic to pass thorugh interfaces with the same security level.)

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
abinjola Wed, 02/13/2008 - 11:12

Management port can only pass traffic and act as ethernet port if you have a security plus license,

In case you do have a security plus license, add a command no man-only from interface man0/0

I've got that command but It dosn't seem to help. Because I'm migrating from CheckPoint FWs to ASA the mgt network lives through the checkpoint and once the checkpoints get phased out we'll just have the ASA. While I'm doing parralel testing I've created did some PBR to force source traffic for test machines through the ASA. The only problem with this is everything works fine but just can't manage the ASA because the ASA recieve the traffic on its inside interface and it can't switch it over to the mgt. interface. I'm not sure if it just isn't switching it over or if the mgt. int. recieves it and don't know what do do with it.

abinjola Wed, 02/13/2008 - 12:23

ok so you have a security plus license..?

you need access from inside to DMZ both at same security level..firstly tell me is it possible for you to lower the security level of management to 99 or lower ? if yes then let me know n I can suggest you the required config...

abinjola Wed, 02/13/2008 - 12:49

interface man0/0

no man-only

config#static (inside,mgmt) netmask

x.x.x.x-->host/subnet on inside

add access-l on dmz to permit the traffic through to inside (open icmp any any as well)

now try to ping a server on dmz from inside,

abinjola Wed, 02/13/2008 - 13:07

not clear enough to me..

whats your requirement ?

where would you initiate the traffic from ?

to where ?

from where did you try to ping ? from inside host to management interface ?

My reqirement is to only allow access to the ASA's mgt. interface via through the ASA so that that traffis is inspected and secured network.

Traffic would initate from the inside to the management Interface and back through the insid einterface. I attached a .vsd if you want to look at the setup.

I tried to ping from inside host to the mgt. interface. I do however have a CSM on that network but his Gateway is set to the Checkpoint firewall because the mgt. network currenly exist thorugh them. So I dind't want to ping that host because I knew that even if the traffic got routed over to the mgt. interface it would go back the other way(Async Routing)

Her eis a vsd I put together real quick to kind of give you an idea on how its setup.

abinjola Wed, 02/13/2008 - 13:48

Assymetrical Routing not supported on ASA in single context

what you are trying to achieve is traffic from inside go through the management however the return reply hits the inside which is not possible because of stateful behaviour

abinjola Wed, 02/13/2008 - 15:41

int man 0/0

no man-only

security-level 99

static (inside, management) 10.x.x.x 10.x.x.x

see if this works !

That didn't seem to work. When I do a debug ICMP trace while I ping the mgt interface I just see the request and never a reply. I have allowed the host to ping all interfaces.

ICMP echo request from 10.x.x.202 to 10.x.x.70 ID=768 seq=34563 len=32

interface Management0/0

nameif management

security-level 99

ip address 10.x.x.70 standby 10.x.x.71

icmp permit 10.x.x.0 management

static (Inside,management) 10.x.x.202 10.x.x.202 netmask

route Inside 10.x.x.202 10.x.203.6

I also have an ACL applied to allow all IP from 10.x.x.0/24 to mgt. on the inside.

abinjola Thu, 02/14/2008 - 08:00

add this

access-l mgmt permit icmp any any

access-g mgmt in interface management

see if you get a ping reply back

Nope.. I'm thinking I'm going to create a new private VLAN and place these mgt. interface in this vlan mainly because there is a potentioal to have other device on this vlan for our CRO team. Or do you think what I'm trying to do should work?

access-list mgmt permit icmp any any

access-group mgmt in interface management

ICMP echo request from to ID=768 seq=34564 len=32

ICMP echo request from to ID=768 seq=34820 len=32

ICMP echo request from to ID=768 seq=35076 len=32

abinjola Thu, 02/14/2008 - 08:14

ahhhhh..are you trying to ping management interface ??? If yes then you would NEVER be able to ping management interface (thats by design)

But if you try to ping a host connected to management interface from a host on inside you must get a response back

abinjola Thu, 02/14/2008 - 08:26

yes in that case it will work..

see if you don't have the icmp request passing through the ASA to hit the management interface in that case you are just pinging a host connected far end..which is allowed

However you can't ping INDIRECTLY connected INTERFACES through ASA

let me search a link that explaines this

abinjola Thu, 02/14/2008 - 08:36 can't ping/ssh/https to any indirectly connected interfaces through ASA


This Discussion