Asa 5510 Management Interface is about worthless

Unanswered Question
Feb 19th, 2008
User Badges:

Guys, help me out here. What can this mgt inteface be used for beside mgt? I can't use it for failover, i have to burn another port.


So out of 5 ports, I have only 3 I can use inside/outside/dmz with 1 dedicated to A/S failover.


Why can't I set the mgt inteface as DMZ2?


I need 4 ports plus failover. In the old Pix 515e/525 we have "ports to spare".


I think Cisco's response is purchase a $3,000 SSM-4GE. Arghhh, 3k for 1 port?


What am I missing here?


Thanks


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
tim.riegert Tue, 02/19/2008 - 13:35
User Badges:

If you don't require the dedicated Gbps per network, you could trunk multiple networks over the same physical link and then create the Vlan SVIs on the ASA. Many people may cringe at that idea, but it would definitely provide you more flexibility with the number of networks protected by the ASA. That is essentially the idea behind the FWSM (internal etherchannel trunks b/n cat6500 and fw blade).

adam.sellhorn Tue, 02/19/2008 - 14:01
User Badges:

I'm curious to why this would make some admins "cringe" at the thought combining DMZs on a single gig interface? It would seem like a waste to dedicate an expensive gig port for a single DMZ if that DMZ only required an average of a few Mbps... I only say this because I'm curious if there are ill effects that can occur by doing this as I do it on my network.


Thanks for any input you can provide.

dmooreami Tue, 02/19/2008 - 14:07
User Badges:

if trying to do a quick 1-for-1 swap, then goinv to SVI's and other methods is time consuming. Specially if you have not done it before. ;)


I agree, burning a gig interface is crazy. What is more crazy is why cisco doesn't offer for the ASA a 4-port 10/100 meg card for about $400-800.00.

adam.sellhorn Tue, 02/19/2008 - 14:27
User Badges:

I'm curious to why this would make some admins "cringe" at the thought combining DMZs on a single gig interface? It would seem like a waste to dedicate an expensive gig port for a single DMZ if that DMZ only required an average of a few Mbps... I only say this because I'm curious if there are ill effects that can occur by doing this as I do it on my network.


Thanks for any input you can provide.

srue Tue, 02/19/2008 - 13:40
User Badges:
  • Blue, 1500 points or more

taken from the 7.2 documentation:


The ASA 5510 and higher adaptive security appliance includes a dedicated management interface called

Management 0/0, which is meant to support traffic to the security appliance. However, you can configure

any interface to be a management-only interface using the management-only command. Also, for

Management 0/0, you can disable management-only mode so the interface can pass through traffic just

like any other interface.

dmooreami Tue, 02/19/2008 - 13:45
User Badges:

Good to now that is what the docs say. But try to use it as an interface for A/S failover... not supported. But isn't that passing traffic just like "any other interface"? :)


Has anyone used the mgt interface a 3rd DMZ interface or an extranet interface for normal traffic?




abinjola Tue, 02/19/2008 - 13:53
User Badges:
  • Cisco Employee,

management can works as a Failover Interface and also as a normal Ethernet Interface


You need Security Plus License and a command no man-only to make it working like ethernet port


I again reiterate you can use management port as failover Interface

dmooreami Tue, 02/19/2008 - 14:03
User Badges:

I am almost sure cisco does not support using the mgt interface as failover interface. I read that somewhere. will try and see where that info is...

adam.sellhorn Tue, 02/19/2008 - 14:09
User Badges:

For some reason I can use the management ports for failover on my 5510's but not my 5540's... This probably just adds to the confusion on this tread but I thought it was important!

dmooreami Tue, 02/19/2008 - 14:12
User Badges:

fantastic info to have! That would be where the confusion was on my side.


Cisco has a "here is how to us Mgt as f/o, but not supported" doc around on the site somewhere.



adam.sellhorn Tue, 02/19/2008 - 14:19
User Badges:

Attached is the cisco doc I used to set it up along with my config for the Management0/0 interface. This only worked on my 5510's though, not my 5540's for some reason. That could, of course, be something on my end though.



PRIMARY:

failover

failover lan unit primary

failover lan interface failover Management0/0

failover link failover Management0/0

failover interface ip failover 10.254.254.5 255.255.255.252 standby 10.254.254.6


SECONDARY:

failover

failover lan unit secondary (default)

failover lan interface failover Management0/0

failover link failover Management0/0

failover interface ip failover 10.254.254.5 255.255.255.252 standby 10.254.254.6




Actions

This Discussion