General ASA 5550 Config Question

gdrandles · ‎04-20-2010

I have a 5550 running in Transparent mode. The purpose of using Transparent mode was so I could insert it between the external router (going to the internet) and the layer 3 switch (connecting to the users). Both of these devices share a /30 network. The documentation for the ASA 5550 says that "The managment IP address must be on the same subnet as the connected network." It also states that "If the managment IP address is not configured, transient traffic does not pass through the transparent firewall." I noticed after I configured an IP address for the managment 0/0 interface that there was still an option in the ADSM to configure a managment IP. Can I still use the same IP I configured on the management 0/0 interface?

francisco_1 · ‎04-20-2010

My understanding is a management IP address is required for management only. The ASA uses the IP as a source address for packet originated on the ASA such as AAA, SNMP messages. The Management IP address must be on the same subnet as the connected network since the ASA is not doing any routing lookup.

Francisco

gdrandles · ‎04-20-2010

So I can go into the ASDM>Configuration>Properties and remove the Management IP Address as long as I have the IP configured on the Management Interface 0/0? Since the firewall is running in Transparent mode, can I manage it from the outside?

francisco_1 · ‎04-20-2010

the ip address is not assigned to an interface or bind to any interface. management should work from either direction.

gdrandles · ‎04-20-2010

I think that is the problem that I have not being able to manage it from the outside. Since I placed it on an existing /30 network there was no IP avaialbe which is why I went with transparent and assigned the IP to the management interface. I guess I will have to redesign that part of the network to include an IP for the ASA.