ASA Transparent mode use of Management Only Interface

Unanswered Question
May 11th, 2009
User Badges:

I find the term management ip address a bit confusing when there is a management interface.

I have the firewall in transparent mode and a global ip address assigned to it. All is working as expected.

What I can't seem to get working is the Management Only Interface. I must be missing something simple.

I don't see where routes can be assigned to it and I don't see where there are ACL's for it.

Does the management interface ip address have to be in a different network than the global ip address?

All the sample configurations seem to avoid the management interface.

Thank you!


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
nyroctodd Tue, 05/12/2009 - 06:51
User Badges:

Unfortunately, this is the article I find confusing. I have it working already using the global (management)ip address in a single context mode (inside and outside interface).

Now I would like to use the Management 0/0 interface in Management Only mode for exlusive management access to the firewall.

I'm still struggling a bit with the Layer2 firewall idea (Much like a Sonicwall in bridge mode)

The idea is to have a secured zone where management interfaces for all kinds of security devices live (firewalls, ips, ...)

How do I configure the management Only interface? Can I just give an ip and mask and expect it to work?

Do I add ACL's to use this interface if it is in Management Only?

Does it need a route where it is not inline? Does it need a gateway address someplace?


handsy Tue, 05/12/2009 - 11:28
User Badges:

Ah OK.

Further research brought me to this page:

Particular interest should be paid to the 'Usage Guidelines' section, 2nd paragraph.

Quote: "Transparent firewall mode allows only two interfaces to pass through traffic; however, on the ASA 5510 and higher adaptive security appliance, you can use the Management 0/0 interface (either the physical interface or a subinterface) as a third interface for management traffic. The mode is not configurable in this case and must always be management-only. You can also set the IP address of this interface in transparent mode if you want this interface to be on a different subnet from the management IP address, which is assigned to the security appliance or context, and not to individual interfaces. "

nyroctodd Wed, 05/13/2009 - 05:28
User Badges:

Is this one OR the other, but not both?

And do you think this means that the Management Only Interface MUST be on a different subnet than the global address?

Is anyone actually doing this?


This Discussion