ASA 5505 Managment-only interface query..

Unanswered Question
May 13th, 2008

Hi All,

If on ASA5505 , Vlan2 Set for management-only and with an IP, will be possible to 'telnet' to that interface via VPN tunnel..? Also, will that interface respond to SNMP queries..?

Please suggest.

Thank you

MS

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
JORGE RODRIGUEZ Tue, 05/13/2008 - 18:45

MS, if you set the interface to management-only it will not pass regural traffic trough the interface other than management protocols snmp etc..

in fact I have tested this in my lab enabling management-only in vlan1 inside interface , this is what I get for outbound traffic, once I removed the command traffic resumed normally.

4 May 13 2008 22:41:13 418001 172.27.1.2 204.69.199.39 Through-the-device packet to/from management-only network is denied: tcp src inside:172.27.1.2/1586 dst outside:204.69.199.39/80

see management-only section

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/int5505.html

You should be able without the use of management-only to pool snmp information from the firewall.

as for telneting to the firewall through vpn tunnel simply issue in firewall management-access inside statement to telnet through the inside interface of firewall.

You could configured firewall outside interface for ssh access and be able to manage the firewall via ssh access without vpn tunnel.

HTH

-Jorge

mvsheik123 Wed, 05/14/2008 - 02:58

Hi Jorge,

As always, thak you for your time and reply.Iam looking to dedicate a interface on ASA only for management ourpose and rest or Internet access only. So with management ONLY , what kind of protocols / traffic will the interface allows? Also, will SNMP server be able to reach this Interface via EZVPN tunnel..?

regards

MS

JORGE RODRIGUEZ Wed, 05/14/2008 - 05:41

Hi MS,

The management-only will only allow snmp management protocols I have read a link long ago about the exact management protocols but cannot find that link, if I recall correctly it allows snmp, ntp,tftp and few other ones that I can't remember but it will not allow regular traffic like http etc.., in other words the management-only interface will not be like a real routed interface but dedicated for management.

The higher models they do have dedicated management interface. On these higher models when using managememnt interface you are no sacrifying another interface for that purpose.

Now, if you have security plus license you could create sub-interfaces via 802.1q trunking and have a sub-interface dedicated for management only interface, Sec plus license support up to 20 SVI or VLANS so literaty thi is feasable to create a sub-interface and do it that way for this particular model.

I do not see why the management-only interface could not be reachable through a vpn tunnel as long there is an access-list permiting the source to query management interface for stats.

I would have liked to test this scenario but my firewall have basic 10 user Base license and firewall trunking is disabled, but Im almost %100 positive management through sub-interface is totaly feasable.

If anyone in forum have try it we like to hear from you.

Rgds

-Jorge

Actions

This Discussion