General ASA 5550 Config Question

Unanswered Question
Apr 20th, 2010
User Badges:

I have a 5550 running in Transparent mode.  The purpose of using Transparent mode was so I could insert it between the external router (going to the internet) and the layer 3 switch (connecting to the users).  Both of these devices share a /30 network.  The documentation for the ASA 5550 says that "The managment IP address must be on the same subnet as the connected network."  It also states that "If the managment IP address is not configured, transient traffic does not pass through the transparent firewall."  I noticed after I configured an IP address for the managment 0/0 interface that there was still an option in the ADSM to configure a managment IP.  Can I still use the same IP I configured on the management 0/0 interface?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
francisco_1 Tue, 04/20/2010 - 05:36
User Badges:
  • Gold, 750 points or more

My understanding is a management IP address is required  for management only. The ASA uses the IP as a source address for packet originated on the ASA such as AAA, SNMP messages. The Management IP address must be on the same subnet as the connected network since the ASA is not doing any routing lookup.


Francisco

gdrandles Tue, 04/20/2010 - 06:39
User Badges:

So I can go into the ASDM>Configuration>Properties and remove the Management IP Address as long as I have the IP configured on the Management Interface 0/0?  Since the firewall is running in Transparent mode, can I manage it from the outside?

francisco_1 Tue, 04/20/2010 - 07:34
User Badges:
  • Gold, 750 points or more

the ip address is not assigned to an interface or bind to any interface. management should work from either direction.

gdrandles Tue, 04/20/2010 - 08:37
User Badges:

I think that is the problem that I have not being able to manage it from the outside.  Since I placed it on an existing /30 network there was no IP avaialbe which is why I went with transparent and assigned the IP to the management interface.  I guess I will have to redesign that part of the network to include an IP for the ASA.

Actions

This Discussion

Related Content