MGMT interface on Cisco ASA 5520

richardfinnie · ‎03-18-2008

Can someone tell me what best practice is for the management interface on the asa platform? I had to disable the interface as it was attempting to route traffic during normal operation.

I thought that management-only meant that only specific traffic (http, ssl. snmp, etc.) coming from specific management workstations was allowed. I didn't expect the interface to try to pass traffic through. Is this "bad" behavior on the part of my man0/0 port, or is this normal?

Is there any way I can prevent the man0/0 interface from trying to route traffic? Or am I just stuck with having to disable man0/0 during normal operation?

Thanks

Fernando_Meza · ‎03-18-2008

Hi,

The management-only option is used to allow management access to the ASA only. This means that only allows traffic terminating at the interface. When an interface is configured as management-only that interface can't be used for forwarding traffic from one interface to another.

You should be able to use the management interface for management purposes only without affecting the normal traffic which traverses the other interfaces !!!

Just make sure the m0/0 interface has indeed the command management-only on it.

I hope it helps .. please rate it if it does !!

richardfinnie · ‎03-18-2008

the m0/0 interface does in fact have management-only applied, however it would appear when I use the packet tracer utility it tries to route traffic via this interface (as it sees the shared management network as directly connected) instead of back through the proper path. It would seem that having the ASA appliance directly connected to a shared network may not be the proper method. Perhaps I am better suited to create a small network that the ASA appliances only sit in for management, instead of other devices such as HP iLo cards and DRAC cards which required FW access for AD intergration, etc.