Can ping ASA5510 management0/0, but can't telnet or https to it

Unanswered Question
Sep 9th, 2009

ASA5510 is connceted as the following:

outside -- WAN router. (security level 0)

dmz -- DMZ switch. (security level 50)

inside -- Core switch Vlan 10. (security level 100)

management -- Core switch Vlan100. (security level 100)

int management0/0

nameif management

security-level 100

ip address


management-access management

http server enable

http management

telnet management

I can ping and telnet from internal hosts to outside routers, and DMZ hosts. I can also ping from internal to ASA management port, but can't telnet or https to the management interface.

What could be the reasons? How does ASA know it should direct internal management traffic through the management port instead of the inside port?

Thanks a lot

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
m.reay Wed, 09/09/2009 - 08:18

you need to configure telnet and http access from the inside interface.

http management

telnet management

the above commands allow http and telnet access from hosts on the network coming from the management interface.

you need similar to allow hosts acces from the inside interface

eg telnet n.n.n.n m.m.m.m inside

gwhuang5398 Wed, 09/09/2009 - 18:31

Thanks. I know "http inside" and "

telnet inside" works if I telnet or https from internal to ASA inside interface.

My confusion is if I have to do "telnet n.n.n.n m.m.m.m inside", what's the purpose of having a management interface? I can just use inside interface as the management address.


m.reay Thu, 09/10/2009 - 03:14

thats ur decision - but using the management-interface command is the only way to ping or telnet thru the asa

dcambron Thu, 09/10/2009 - 06:49


http management

telnet management



telnet INSIDE

If the source is in the side and is in the inside



gwhuang5398 Thu, 09/10/2009 - 19:24

Thanks all for the help. I'll just use telnet internal-networks INSIDE, instead of telnet .... management. I can pretty much just shut down the management0/0 port, since I can't use it for telnet or ssh or http.

I'm just wondering what can make management0/0 work as a true out of band management interface. I couldn't find a good example from any Cisco documentations.

Thanks again.

apdatasoft Fri, 09/11/2009 - 05:48

Hi gwhuang5398,

but have you done the routing on the Management interface. Does the ASA understand on what IPs will you be using to access the ASA over management interface.



gwhuang5398 Fri, 09/11/2009 - 06:18

Good question. I thought about that too but didn't come up with a good colution.

I'm running OSPF between ASA inside and core switch, pretty straight forward. So ASA knows all intrenal networks through the inside interface.

ASA mamagement0/0 is directly cabled to core switch, in a different vlan. I have tried put management0/0 into the OSPF and not into OSPF. Either case, seems ASA always tried to return traffic back to internal networks through the inside interface. If that's the reason " telnet or http . . . . management" didn't work, I may have to specify a static route on the ASA so that management traffic to internal "management subnet" goes through management0/0. So far I was unwilling to limit it just to the "management subnets".

Does it make sense to you?


apdatasoft Fri, 09/11/2009 - 06:32

Hi gwhuang,

great!!! you have the answer for yourself and simple static route on the management interface specific to the management IPs does the job.

I hope i am not wrong with the conclusion i did..




This Discussion