ASA 5520 Mngt0/0 Config

Unanswered Question
Feb 20th, 2008

We are getting ready to deploy 2 ASA 5520's to replace our PIX's. We were hoping to use the management interface on the ASA's. Currently we manage the PIX's via the inside interface. We have run into a problem that we cannot figure out. We have a lot of static routes on that route the same IP's we will be using for mnagement back through the inside interface. Is there some way we can configure the ASA's so that the traffic that hits the management0/0 interface goes back out that interface instead of following the static routes back out the inside interface?

Thanks

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
abinjola Wed, 02/20/2008 - 21:25

yes you can, on ASA version 7.2.2 and above there is U-Turning feature that allows you to configure U turning for clear text traffic , you can route the traffic back from the same interface that it hits

what is your precise requirement ?

lsouthwood Thu, 02/21/2008 - 05:59

We are wanting to do SSH and ASDM management to the management port using tacacs authentication. Both the management PC's and the tacacs servers are on the internal network and static routes send their traffic through the 'inside' interface.

lsouthwood Thu, 02/21/2008 - 08:57

Forogt to say that we are on 8.0.2. Also were can I get information on setting up u-turning? I don't see much of anything in the config guide.

Thanks

abinjola Thu, 02/21/2008 - 09:04

you mean request would come all the way from

inside lan-->inside Interface-->Management Interface-->return back ?

By U -Turning I meant that source and destination needs to be behind management Interface

Request packet---------------)

Return Packet<--------------- Management

lsouthwood Thu, 02/21/2008 - 09:44

The request will come from the inside lan, but will got directly to the management interface. Both the inside and managment interfaces face the inside network.

inside lan-->Management Interface-->return back

abinjola Thu, 02/21/2008 - 10:19

Inside LAn facing Management Interface ? Is there a loop between inside interface and management ? not sure whats your topology but as I said U-turning would work without any issue

static (management,management) destination ip destination ip

nat (man) 1 0 0

global (man) 1 interface

same-security-traffic permit intraface

lsouthwood Thu, 02/21/2008 - 10:29

We are trying to prevent a loop. We have a route as such:

route inside 1.1.0.0 255.255.0.0 10.2.1.3 1

So, if my IP is 1.1.1.1, then the traffic will hit the management interface and route back out the inside interface, right? What we want to happen is the 1.1.0.0 IP's to hit the management interface and come back out that some interface.

lsouthwood Thu, 02/21/2008 - 13:03

OK, I tried putting the following commands into the config on our ASA:

static (management,management) 1.1.0.0 1.1.0.0 netmask 255.255.0.0

nat (management) 1 0 0

global (management) 1 interface

same-security-traffic permit intraface

Then I changed the route statement from route inside 1.1.0.0 255.255.0.0 10.2.1.3 1 to route management 1.1.0.0 255.255.0.0 192.2.1.3 1. After changing the route I could no longer access the management port or ping it. Right now we only have the management port connected to the network.

Did I do something wrong or am I missing something?

abinjola Thu, 02/21/2008 - 14:16

post your config here..and please let mee know your source and destination IP..?

lsouthwood Fri, 02/22/2008 - 07:19

The source IP (my PC) is 2.2.142.82 and the destination is the management interface which is 3.3.50.14. Here is the config when it works:

interface Management0/0

nameif management

security-level 100

ip address 3.3.50.14 255.255.255.0 standby 3.3.50.15

management-only

!

interface GigabitEthernet1/0

nameif inside

security-level 100

ip address 1.1.58.9 255.255.255.0 standby 1.1.58.10

nat (inside) 0 0.0.0.0 0.0.0.0

static (inside,intf2) 2.2.0.0 2.2.0.0 netmask 255.255.0.0

static (inside,intf3) 2.2.0.0 2.2.0.0 netmask 255.255.0.0

static (inside,intf4) 2.2.0.0 2.2.0.0 netmask 255.255.0.0

static (inside,outside) 2.2.0.0 2.2.0.0 netmask 255.255.0.0

route outside 0.0.0.0 0.0.0.0 3.3.97.3 1

route management 2.2.0.0 255.255.0.0 3.3.50.3 1

Then I added the following lines:

static (management,management) 2.2.0.0 2.2.0.0 netmask 255.255.0.0

nat (management) 1 0 0

global (management) 1 interface

same-security-traffic permit intra-interface

And changed the route for the 2.2.0.0 subnet back to what it is on the production PIX:

route inside 2.2.0.0 255.255.0.0 1.1.58.3 1

Let me know if there is more of the config that would be helpful. I tried to only include what I thought would be most helpful.

abinjola Fri, 02/22/2008 - 07:45

well the source is 2.2.142.82 and as per route route inside 2.2.0.0 255.255.0.0 1.1.58.3 1 , this source should be on inside, this will not work if the source is on inside and want to manage management Interface,

U-turning is hitting an interface from a source behind and then U-turning back the same interface

source1

|

ROuter---switch--->(Inside)ASA

|

|

destination

Now in the above scenario source 1 has default gateway as ASA inside Intrerface and needs to access a destination which is also behind ASA in another subnet, then U-Turning comes in the picture

Whats your scenario ? is your source coming from ? behing which Interface

Mark here source , destination and your configuration, (you may replace last octect as x for security)

lsouthwood Fri, 02/22/2008 - 08:17

The source (2.2.142.82) is behind both the inside and management interfaces. Both interfaces face the internal network. All traffic on the internal network goes through the inside interface. The question is whether or not PCs on the internal network can also use the managment interface too. Maybe a drawing would help. I have attached a jpg.

Attachment: 
abinjola Fri, 02/22/2008 - 08:22

well add a static persistent route on your PC for 2.2.0.0 point it to management interface

lsouthwood Fri, 02/22/2008 - 09:15

Isn't that going to prevent the traffic that needs to go through the inside interface from getting to its destination? Besides once I change the router statement from:

route management 2.2.0.0 255.255.0.0 3.3.50.3 1

to:

route inside 2.2.0.0 255.255.0.0 1.1.58.3 1

I can't even ping the management interface anymore. I assume that's because the replies are trying to go out the inside interface which is NOT cabled up right now.

Currently we use the inside interface for managment on our PIX. It sounds more and more like that is what we are going to have to do on the ASA as well.

abinjola Fri, 02/22/2008 - 15:02

well if you ping the management interface , you will get a reply back from it, there is no routing involved here, do you see ICMP packets reaching the man interface ?debug icmp trace

?

lsouthwood Mon, 02/25/2008 - 06:15

On our production PIX we have the following route statement:

route inside 2.2.0.0 255.255.0.0 1.1.58.3 1

On the ASA, we only have the managment interface connected to the network. I have to change the routing statement above to the one below to even be able to ping the management interface:

route management 2.2.0.0 255.255.0.0 3.3.50.3 1

NOTE: The two interfaces use different gateway's on our 6509 switch.

Isouthwood,

I have exactly the same issue. See my attached jpg.

If host1 manages the ASA through the management interface, the return traffic comes back from the ASA through the inside interface because the ASA appears to use the same routing table for the management interface as all the firewall interfaces (ie the management interface does not appear to be a true out of band interface even with the management-only command). I was hoping to find some command that allows a default gateway to be set for the management interface only.

The end goal is for host1 to act as both a management station of the ASA (via Man0/0) and as a host that would access host2 through the firewalls normal interfaces. With only one routing table being used, this seems impossible (unless host 1 is directly connected to the subnet of the management interface).

Fernando_Meza Tue, 06/24/2008 - 18:49

Hi,

I am afraid you can't achieve what you are trying to because the ASA does not support VRF nor Policy based routing type of features. The only work around I can see is adding a second NIC to the management host and place it on the management segment for management purpose only. You will configure that second NIC without defafult gateway so that all other traffic goes out the first NIC towards the inside interface of the firewall.

The other alternative - of course - is using the inside interface for management purpose as well as packet forwarding the same as you are doing with your current PIX.

I hope it helps :-)

Actions

This Discussion