ASA Management Interface Routing Design Problem

Unanswered Question
Apr 3rd, 2009

Hello,

I have the following problem: I am using a management-only interface on ASA 5520 with v8.0.4 software. This management interface is directly connected to a management inside network. The ASA is successfully managed through that interface, but there are also a couple of routers outside that ASA, that should log to a host, that is in that same management network.

Because the directly connected interface is a management-only one, I could not do that. (The ASA is logging the following message: "Through-the-device packet to/from management-only network is denied")

Please, share knowledge and advice me how to solve this issue. I want to use the Management IF for management.

Have a nice day!

I have this problem too.
1 vote
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
JORGE RODRIGUEZ Fri, 04/03/2009 - 16:20

Hi Kliment, I was able to look this up for you, sometimes these error codes provides some hints.

If my memory serves me well the management only interface has limitations of management only traffic specific for management protocols which I do not recall which ones are they right now.. but when the interface is a management only interface it will not behave as other routed interface meaning it will not route traffic traversing that interface in your case from outside hosts through management only inside hosts..

you could try by making that management interface using no management-only under that interface .

message 418001

Error Message %PIX|ASA-4-418001: Through-the-device packet to/from management-only

network is denied: protocol_string from interface_name IP_address (port) to interface_name

IP_address (port)

Explanation A packet from the specified source to the destination is dropped because it is traversing the security appliance to/from the management only network.

•protocol_string-TCP, UDP, ICMP or protocol ID as a number in decimal

•interface_name- Interface name.

•IP_address-IP address

•port-Port number

Recommended Action Investigate who is generating such packet and why.

http://www.cisco.com/en/US/docs/security/asa/asa80/system/message/logmsgs.html

kimby200602 Sun, 04/05/2009 - 22:20

Hi jorgemsce,

Thank you for the reply, but I was looking for a design solution to prevent those devices to log through the management-only interface. I want to keep my interface in management-only state and still have the logging capability in the inside management network.

I am attaching the network topology that I am using now.

Please suggest some design changes so I could achieve those goals. I was thinking of using multiple contexts, but I will not be able to make VPNs on the ASA. The other possible solutions I was thinking of are VRF for management or Policy-Based routing, but the ASA is not providing them. Do you have any other suggestions?

Thank you in advance. Have a nice day!

P.S. Right now I am using the workaround of making an explicit route with /32 mask on the ASA through the Core Switch to the logging server, but this way I am making the management-only interface unusable, because the management is also done through the inside interface.

kimby200602 Thu, 06/02/2011 - 00:13

Hi all,

This design problem is solved in N7K by placing the management port in VRF. Since the ASA does not support VRF (as far as I know) this is currently not possible. Hope this will be developed in future releases as well as some other very useful features available in IOS like Loopback interfaces, PBR and EasyVPN VTI and so on.

Cisco are evolving their FW very fast, hope that their customer recommendations will be important enough to make those features available.

Thank you all for the useful advices so far.

Kliment

Actions

This Discussion