cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1463
Views
0
Helpful
9
Replies

ASA network topology and mgmt interface

lkovar
Level 1
Level 1

Hello,

I am implementing ASA 5510 for SSL Anyconnect client RAS only.  It will be a part of existing firewall infrastructure.

ASA has a public internet (outside)  interface to setup a VPN tunnel and should route all the RAS users traffic to internal network via "inside' interface, which is in a DMZ  subnet of an existing firewall, where access filtering takes place.

In other words, ASA has two addresses, one public (global)  for access from outside (on par with the outside interface of existing firewall, just behind the router)  and the other from different segment (global, but it doesn't matter)  for making a route to private network 172.16.0.0 /16 through a existing firewall's DMZ interface 213..x.x.z .  There is a static route on ASA to do that. It works so far.

See https://supportforums.cisco.com/message/3056397#3056397

I'd like to manage ASA from the inside network 172.16.0.0 over the management interface. Today I have a separate net 192.168.x.x. for that between dedicated laptop and ASA mgmt interface.

My questions are:

1) is it safe to connect mgmt interface directly to internal network, when otherwise I suppose to filter all the traffic on separate (existing) firewall via policy between it's DMZ 213.x.x.z and internal interface 172.16.x.y ?

2) Will the routing etc. at ASA allow it at all, if there should be direct connection to network 172.16 via ASA mgmt interface and in the same time static route to the same network over the ASA inside 213.x.x.y interface, respectively through the said separate firewall ?

Many thanks

9 Replies 9

August Ritchie
Level 1
Level 1

Hello,

The way the ASA was designed was to allow management only from the interface you are behind.

Before pursuing any odd workarounds (if there is any at all) could you tell me why you don't want to manage the device from the inside itself?

You can restrict management access to just one device if you are concerned about security.


Hello,

thanks for the reply.

Firstly, Cisco firewalling is brand new to me, including official and non-official documentation, so I try to find the way out and follow books, if possible.

That's way I am using mgmt interface for management :-)

Seconds, the strange lanscape is due to the fact I have an existing Checkpoint firewall and this is just an addition to give users more ways for RAS VPN.

I expected an VPN concentrator like CP Connectra with just one interface to place in DMZ and now I am still confused with this (stunning) all-in-one.

Third, I am open to any ideas, but I miss better topology examples . Basically my ASA has no direct interface to inside - private network, that's why I am not using it for mgmt. It's so called inside interface routes via DMZ in firewall. If it would be possible and safe  to manage ASA this way back from private net, why not. I will think about it.

If you can elaborate it now more, I really appreciate.

Additionally, I would be glad to move ASA's external interface to firewall DMZ or public segment and inside interface to our private network, as usually, but have no idea, how to route the traffic back, as we have no Layer3 switching equipment.

Best regards and once again many thanks for coming ideas. Don't hesitate to tell me obvious answers, after 30 years in IT I am used to start from scratch and feel like a noob :-)

Would it be possible to upload a visual topology, sorry, I'm just having a bit of a hard time seeing the whole situation in my head.

I believe your idea about putting the public segment on the outside and private on the inside may provide the best longevity for your topology as it is a standard design.

You say that you only have L2 switches behind the ASA, well fortunately we are in luck!

Lets say that this is your topology with vlan 5 being your inside and vlan 6 being your DMZ

{internet}----|ASA|------| L2 switch with vlans 5 and 6|

What we can do is sub-interface the ASA so that it can be in charge of doing intervlan routing. We just take off the config on that current interface and then divide that interface into the sub-interfaces in both vlans.

interface Ethernet0/0.5

vlan 5

namif inside

security-level 100

ip address 192.168.5.1 255.255.255.0

interface Ethernet0/0.6

vlan 6

namif DMZ

security-level 50

ip address 192.168.6.1 255.255.255.0

Then whatever interface you fall behind you can just add a line to allow management. Assuming you have all prior ASDM configurations in you can do something like: (where 192.168.6.8 is your IP)

http 192.168.6.8 255.255.255.255 DMZ

Now you will have ASDM access from 192.168.6.8 when connecting to the DMZ interface.

I know this is probably way off from your scenario, but it helps to show that the ASA can act as router on a stick when you only have layer 2 devices behind it.

A helpful hint is that if you are managing over a VPN, you sometimes need to add the "management-access " command.

Hi, thanks a lot.

I will probably workout some graphics to that tomorrow.

Your idea is interesting. I checked, and our main internal  switch is 3COM 4200G, which is L2, but allows L3 static routing. I will investigate it further, if it solves my outbound route problem anyhow, what do you think ?

I am maybe out because of that heat, (37deg was outside) but additional idea follows: I could put inside ASA interface to that 3Com switch with an separate private IP and route the traffic on that switch to inside servers. As there is only few servers to be accessed from VPN, I can specify static route to ASA on them. Right ?

Now I can choose, whether to keep a public address at ASA outside or better public DMZ address to OUTSIDE ASA interface to hide it in my firewall's DMZ. As I am used to work with Checkpoint FW and not with Cisco ACL's , I could limit access from outside to ASA for SSL tunnel only and play with the rest in piece. Does it all make sense ?

1.) As there is only few servers to be accessed from VPN, I can specify static route to ASA on them. Right ?

Yes, from the ASA you can route back multiple subnets/ip addresses to the inside switch, and the inside switch can take care of it from there.

2.) I could limit access from outside to ASA for SSL tunnel only and play with the rest in piece. Does it all make sense ?

If the ASA is being used as a VPN endpoint there shouldn't be any access-list you need to configure to allow the VPN traffic. But if it is terminated somewhere else, then yes, you will need an access-list to permit it.

1.) As there is only few servers to be accessed from VPN, I can specify static route to ASA on them. Right ?

> Yes, from the ASA you can route back multiple subnets/ip addresses to the inside switch, and the inside switch can take care of it from there.

I mean I leave the default gateway on servers as is (thru Checkpoint) and set on servers additional , specific to ASA inside interface or RAS pool.

2.) I could limit access from outside to ASA for SSL tunnel only and play with the rest in piece. Does it all make sense ?

> If the ASA is being used as a VPN endpoint there shouldn't be any access-list you need to configure to allow the VPN traffic. But if it is terminated somewhere else, then yes, you will need an access-list to permit it.

As I am still unsure working with ACL's na ASA and thus affraid to let something open unintentionally, I  plan to hide ASA outside IF befind the CP firewall  in DMZ. I know, stupid, but I change it later maybe. Now I have it all on my table only, even with real addresses, no connections outside. ASA, CP firewall, router and 3 workstations :-)

Once again, many thanks for your ideas and help. I really appreciate. Btw. I go to sleep now, which TZ are you ? I am GMT+1 (GMT +2 in DST now)

I mean I leave the default gateway on servers as is (thru Checkpoint) and set on servers additional , specific to ASA inside interface or RAS pool.

-- This sounds reasonable, but again, full picture topology would be needed to confirm. Just try to avoid discontiguous network schemes, I.E. having one instance of 192.168.1.0 behind checkpoint and another 192.168.1.0 behind the ASA

I am at GMT -5, so I unfortunately to get to sleep for a while

August Ritchie
Level 1
Level 1

This definitely seems viable. I would workout the topology first, and once you have something that is fairly streamlined, I believe you can use my commands above about ASDM access to allow you to connect to whatever interface you are behind. But definitely figure out the topo first and post it if you are still having issues after implementation.

Please read again, I updated my message alot

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: