ASA Transparent mode use of Management Only Interface

Unanswered Question
May 11th, 2009
User Badges:

I find the term management ip address a bit confusing when there is a management interface.


I have the firewall in transparent mode and a global ip address assigned to it. All is working as expected.


What I can't seem to get working is the Management Only Interface. I must be missing something simple.


I don't see where routes can be assigned to it and I don't see where there are ACL's for it.


Does the management interface ip address have to be in a different network than the global ip address?


All the sample configurations seem to avoid the management interface.


Thank you!


nyroctodd

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
nyroctodd Tue, 05/12/2009 - 06:51
User Badges:

Unfortunately, this is the article I find confusing. I have it working already using the global (management)ip address in a single context mode (inside and outside interface).


Now I would like to use the Management 0/0 interface in Management Only mode for exlusive management access to the firewall.


I'm still struggling a bit with the Layer2 firewall idea (Much like a Sonicwall in bridge mode)


The idea is to have a secured zone where management interfaces for all kinds of security devices live (firewalls, ips, ...)


How do I configure the management Only interface? Can I just give an ip and mask and expect it to work?


Do I add ACL's to use this interface if it is in Management Only?


Does it need a route where it is not inline? Does it need a gateway address someplace?


Thanks


handsy Tue, 05/12/2009 - 11:28
User Badges:

Ah OK.

Further research brought me to this page:

http://www.cisco.com/en/US/customer/docs/security/asa/asa80/command/reference/m.html#wp1973887


Particular interest should be paid to the 'Usage Guidelines' section, 2nd paragraph.

Quote: "Transparent firewall mode allows only two interfaces to pass through traffic; however, on the ASA 5510 and higher adaptive security appliance, you can use the Management 0/0 interface (either the physical interface or a subinterface) as a third interface for management traffic. The mode is not configurable in this case and must always be management-only. You can also set the IP address of this interface in transparent mode if you want this interface to be on a different subnet from the management IP address, which is assigned to the security appliance or context, and not to individual interfaces. "

nyroctodd Wed, 05/13/2009 - 05:28
User Badges:

Is this one OR the other, but not both?


And do you think this means that the Management Only Interface MUST be on a different subnet than the global address?


Is anyone actually doing this?

Actions

This Discussion