I am implementing ASA 5510 for SSL Anyconnect client RAS only. It will be a part of existing firewall infrastructure.
ASA has a public internet (outside) interface to setup a VPN tunnel and should route all the RAS users traffic to internal network via "inside' interface, which is in a DMZ subnet of an existing firewall, where access filtering takes place.
In other words, ASA has two addresses, one public (global) for access from outside (on par with the outside interface of existing firewall, just behind the router) and the other from different segment (global, but it doesn't matter) for making a route to private network 172.16.0.0 /16 through a existing firewall's DMZ interface 213..x.x.z . There is a static route on ASA to do that. It works so far.
I'd like to manage ASA from the inside network 172.16.0.0 over the management interface. Today I have a separate net 192.168.x.x. for that between dedicated laptop and ASA mgmt interface.
My questions are:
1) is it safe to connect mgmt interface directly to internal network, when otherwise I suppose to filter all the traffic on separate (existing) firewall via policy between it's DMZ 213.x.x.z and internal interface 172.16.x.y ?
2) Will the routing etc. at ASA allow it at all, if there should be direct connection to network 172.16 via ASA mgmt interface and in the same time static route to the same network over the ASA inside 213.x.x.y interface, respectively through the said separate firewall ?