Access the Mangement Interface/Network through the ASA firewall

brian.pitts · ‎02-13-2008

I have a quick question that I'm having trouble getting to work. I have a 3 pairs of ASA and have setup a network for the all their management interface. This network only reside within the Firewalls and I want anyone that access that network to manage those firewalls to go throught the firewall. So I was wondering if its possiable to allow connection originating from the inside to allow the connections to the mgt. interface? Having a little trouble getting this to work. (Mangement interfaces off in their own DMZ and can only access the mgt. network through FW. Inside has secutiry level of 100 and the mgt. network has security level 100 and I/m allowing traffic to pass thorugh interfaces with the same security level.)

abinjola · ‎02-13-2008

Management port can only pass traffic and act as ethernet port if you have a security plus license,

In case you do have a security plus license, add a command no man-only from interface man0/0

brian.pitts · ‎02-13-2008

I've got that command but It dosn't seem to help. Because I'm migrating from CheckPoint FWs to ASA the mgt network lives through the checkpoint and once the checkpoints get phased out we'll just have the ASA. While I'm doing parralel testing I've created did some PBR to force source traffic for test machines through the ASA. The only problem with this is everything works fine but just can't manage the ASA because the ASA recieve the traffic on its inside interface and it can't switch it over to the mgt. interface. I'm not sure if it just isn't switching it over or if the mgt. int. recieves it and don't know what do do with it.

abinjola · ‎02-13-2008

ok so you have a security plus license..?

you need access from inside to DMZ both at same security level..firstly tell me is it possible for you to lower the security level of management to 99 or lower ? if yes then let me know n I can suggest you the required config...

brian.pitts · ‎02-13-2008

Yes I can. I set it to 99. I did have allow interfaces with the same security level to flow between eachother. I also still have my ACLs to allow the traffic to and from my host to the management IP.

abinjola · ‎02-13-2008

interface man0/0

no man-only

config#static (inside,mgmt) netmask 255.255.255.255

x.x.x.x-->host/subnet on inside

add access-l on dmz to permit the traffic through to inside (open icmp any any as well)

now try to ping a server on dmz from inside,

brian.pitts · ‎02-13-2008

I don't have a server on that LAN its just the ASA mgt interface. I did do that and I tried to ping with no avil. I wanted to secure this mgt. network and force any traffic to an ASA mgt. network to go through a Firewall.

abinjola · ‎02-13-2008

not clear enough to me..

whats your requirement ?

where would you initiate the traffic from ?

to where ?

from where did you try to ping ? from inside host to management interface ?

brian.pitts · ‎02-13-2008

My reqirement is to only allow access to the ASA's mgt. interface via through the ASA so that that traffis is inspected and secured network.

Traffic would initate from the inside to the management Interface and back through the insid einterface. I attached a .vsd if you want to look at the setup.

I tried to ping from inside host to the mgt. interface. I do however have a CSM on that network but his Gateway is set to the Checkpoint firewall because the mgt. network currenly exist thorugh them. So I dind't want to ping that host because I knew that even if the traffic got routed over to the mgt. interface it would go back the other way(Async Routing)

Her eis a vsd I put together real quick to kind of give you an idea on how its setup.

abinjola · ‎02-13-2008

Assymetrical Routing not supported on ASA in single context

what you are trying to achieve is traffic from inside go through the management however the return reply hits the inside which is not possible because of stateful behaviour

brian.pitts · ‎02-13-2008

I would like to have a host 10.x.x.x be able to go through the inside interface of the ASA to get to the mgt. Interface of that same ASA and then the return traffic go back out the same way it came in.

inside to >>>> Mgt Interface.

Return traffic

Mgt. Interface to >>>>inside.

abinjola · ‎02-13-2008

int man 0/0

no man-only

security-level 99

static (inside, management) 10.x.x.x 10.x.x.x

see if this works !

brian.pitts · ‎02-14-2008

That didn't seem to work. When I do a debug ICMP trace while I ping the mgt interface I just see the request and never a reply. I have allowed the host to ping all interfaces.

ICMP echo request from 10.x.x.202 to 10.x.x.70 ID=768 seq=34563 len=32

interface Management0/0

nameif management

security-level 99

ip address 10.x.x.70 255.255.255.0 standby 10.x.x.71

icmp permit 10.x.x.0 255.255.255.0 management

static (Inside,management) 10.x.x.202 10.x.x.202 netmask 255.255.255.255

route Inside 10.x.x.202 255.255.255.255 10.x.203.6

I also have an ACL applied to allow all IP from 10.x.x.0/24 to mgt. on the inside.

abinjola · ‎02-14-2008

add this

access-l mgmt permit icmp any any

access-g mgmt in interface management

see if you get a ping reply back

brian.pitts · ‎02-14-2008

Nope.. I'm thinking I'm going to create a new private VLAN and place these mgt. interface in this vlan mainly because there is a potentioal to have other device on this vlan for our CRO team. Or do you think what I'm trying to do should work?

access-list mgmt permit icmp any any

access-group mgmt in interface management

ICMP echo request from 10.250.3.202 to 10.250.200.70 ID=768 seq=34564 len=32

ICMP echo request from 10.250.3.202 to 10.250.200.70 ID=768 seq=34820 len=32

ICMP echo request from 10.250.3.202 to 10.250.200.70 ID=768 seq=35076 len=32