I have the following setup on our network:
ASA5540 SSM-20 AIP module, 10.255.x.x
PIX Firewall <===>ASA5540 Management, 10.255.x.x
Router<===> ASA5540 Firewall <===> Internet (Cisco updates)
The only access to/from the 10.255.x.x network is from specific Network staff computers, and to the Cisco IPS update site.
Staff computers are translated into local 10.255.x.x IP;s, the Cisco update IP is allowed through (static to itself)
The issue is that since there is already a Route to the 10.255.x.x network, (Management interface directly connected for the ASA5540) there is no "return path" for the updates. (packets are dropping in the ASA5540 on return from Cisco.)
I do NOT want direct access from the ASA Outside or Inside interfaces to the Management interface, rather it should flow through the Inside network, through the Router, through the PIX, to the ASA SSM module.
How can I get the auto-update to work in this scenario?
Thanks in advance