cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
594
Views
0
Helpful
4
Replies

ASA Transparent mode use of Management Only Interface

nyroctodd
Level 1
Level 1

I find the term management ip address a bit confusing when there is a management interface.

I have the firewall in transparent mode and a global ip address assigned to it. All is working as expected.

What I can't seem to get working is the Management Only Interface. I must be missing something simple.

I don't see where routes can be assigned to it and I don't see where there are ACL's for it.

Does the management interface ip address have to be in a different network than the global ip address?

All the sample configurations seem to avoid the management interface.

Thank you!

nyroctodd

4 Replies 4

Unfortunately, this is the article I find confusing. I have it working already using the global (management)ip address in a single context mode (inside and outside interface).

Now I would like to use the Management 0/0 interface in Management Only mode for exlusive management access to the firewall.

I'm still struggling a bit with the Layer2 firewall idea (Much like a Sonicwall in bridge mode)

The idea is to have a secured zone where management interfaces for all kinds of security devices live (firewalls, ips, ...)

How do I configure the management Only interface? Can I just give an ip and mask and expect it to work?

Do I add ACL's to use this interface if it is in Management Only?

Does it need a route where it is not inline? Does it need a gateway address someplace?

Thanks

Ah OK.

Further research brought me to this page:

http://www.cisco.com/en/US/customer/docs/security/asa/asa80/command/reference/m.html#wp1973887

Particular interest should be paid to the 'Usage Guidelines' section, 2nd paragraph.

Quote: "Transparent firewall mode allows only two interfaces to pass through traffic; however, on the ASA 5510 and higher adaptive security appliance, you can use the Management 0/0 interface (either the physical interface or a subinterface) as a third interface for management traffic. The mode is not configurable in this case and must always be management-only. You can also set the IP address of this interface in transparent mode if you want this interface to be on a different subnet from the management IP address, which is assigned to the security appliance or context, and not to individual interfaces. "

Is this one OR the other, but not both?

And do you think this means that the Management Only Interface MUST be on a different subnet than the global address?

Is anyone actually doing this?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: