02-13-2008 10:37 AM - edited 03-11-2019 05:02 AM
I have a quick question that I'm having trouble getting to work. I have a 3 pairs of ASA and have setup a network for the all their management interface. This network only reside within the Firewalls and I want anyone that access that network to manage those firewalls to go throught the firewall. So I was wondering if its possiable to allow connection originating from the inside to allow the connections to the mgt. interface? Having a little trouble getting this to work. (Mangement interfaces off in their own DMZ and can only access the mgt. network through FW. Inside has secutiry level of 100 and the mgt. network has security level 100 and I/m allowing traffic to pass thorugh interfaces with the same security level.)
02-13-2008 11:12 AM
Management port can only pass traffic and act as ethernet port if you have a security plus license,
In case you do have a security plus license, add a command no man-only from interface man0/0
02-13-2008 12:15 PM
I've got that command but It dosn't seem to help. Because I'm migrating from CheckPoint FWs to ASA the mgt network lives through the checkpoint and once the checkpoints get phased out we'll just have the ASA. While I'm doing parralel testing I've created did some PBR to force source traffic for test machines through the ASA. The only problem with this is everything works fine but just can't manage the ASA because the ASA recieve the traffic on its inside interface and it can't switch it over to the mgt. interface. I'm not sure if it just isn't switching it over or if the mgt. int. recieves it and don't know what do do with it.
02-13-2008 12:23 PM
ok so you have a security plus license..?
you need access from inside to DMZ both at same security level..firstly tell me is it possible for you to lower the security level of management to 99 or lower ? if yes then let me know n I can suggest you the required config...
02-13-2008 12:42 PM
Yes I can. I set it to 99. I did have allow interfaces with the same security level to flow between eachother. I also still have my ACLs to allow the traffic to and from my host to the management IP.
02-13-2008 12:49 PM
interface man0/0
no man-only
config#static (inside,mgmt)
x.x.x.x-->host/subnet on inside
add access-l on dmz to permit the traffic through to inside (open icmp any any as well)
now try to ping a server on dmz from inside,
02-13-2008 01:04 PM
I don't have a server on that LAN its just the ASA mgt interface. I did do that and I tried to ping with no avil. I wanted to secure this mgt. network and force any traffic to an ASA mgt. network to go through a Firewall.
02-13-2008 01:07 PM
not clear enough to me..
whats your requirement ?
where would you initiate the traffic from ?
to where ?
from where did you try to ping ? from inside host to management interface ?
02-13-2008 01:41 PM
My reqirement is to only allow access to the ASA's mgt. interface via through the ASA so that that traffis is inspected and secured network.
Traffic would initate from the inside to the management Interface and back through the insid einterface. I attached a .vsd if you want to look at the setup.
I tried to ping from inside host to the mgt. interface. I do however have a CSM on that network but his Gateway is set to the Checkpoint firewall because the mgt. network currenly exist thorugh them. So I dind't want to ping that host because I knew that even if the traffic got routed over to the mgt. interface it would go back the other way(Async Routing)
Her eis a vsd I put together real quick to kind of give you an idea on how its setup.
02-13-2008 01:48 PM
Assymetrical Routing not supported on ASA in single context
what you are trying to achieve is traffic from inside go through the management however the return reply hits the inside which is not possible because of stateful behaviour
02-13-2008 03:09 PM
I would like to have a host 10.x.x.x be able to go through the inside interface of the ASA to get to the mgt. Interface of that same ASA and then the return traffic go back out the same way it came in.
inside to >>>> Mgt Interface.
Return traffic
Mgt. Interface to >>>>inside.
02-13-2008 03:41 PM
int man 0/0
no man-only
security-level 99
static (inside, management) 10.x.x.x 10.x.x.x
see if this works !
02-14-2008 07:43 AM
That didn't seem to work. When I do a debug ICMP trace while I ping the mgt interface I just see the request and never a reply. I have allowed the host to ping all interfaces.
ICMP echo request from 10.x.x.202 to 10.x.x.70 ID=768 seq=34563 len=32
interface Management0/0
nameif management
security-level 99
ip address 10.x.x.70 255.255.255.0 standby 10.x.x.71
icmp permit 10.x.x.0 255.255.255.0 management
static (Inside,management) 10.x.x.202 10.x.x.202 netmask 255.255.255.255
route Inside 10.x.x.202 255.255.255.255 10.x.203.6
I also have an ACL applied to allow all IP from 10.x.x.0/24 to mgt. on the inside.
02-14-2008 08:00 AM
add this
access-l mgmt permit icmp any any
access-g mgmt in interface management
see if you get a ping reply back
02-14-2008 08:10 AM
Nope.. I'm thinking I'm going to create a new private VLAN and place these mgt. interface in this vlan mainly because there is a potentioal to have other device on this vlan for our CRO team. Or do you think what I'm trying to do should work?
access-list mgmt permit icmp any any
access-group mgmt in interface management
ICMP echo request from 10.250.3.202 to 10.250.200.70 ID=768 seq=34564 len=32
ICMP echo request from 10.250.3.202 to 10.250.200.70 ID=768 seq=34820 len=32
ICMP echo request from 10.250.3.202 to 10.250.200.70 ID=768 seq=35076 len=32
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: