Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
543
Views
0
Helpful
3
Replies

Internet Access via MGMT port of ASA5545-X

Go to solution
fatalXerror
Level 5
Level 5

‎05-18-2015 03:26 AM - edited ‎03-11-2019 10:57 PM

Hi Experts,

Good Day!

I have an infrastructure which has ASA5545-X and this firewall has CX enabled and needs to communicate over the internet for the updates. May I know how can I direct my MGMT port to have an internet access, I cannot have a default route because it will conflict to the existing default route for the users who wants to access the internet.

Also, I can't do FTP from my laptop going to the MGMT port of the ASA and I don't know why, I already tried to disable the command "management-only" but my ASA is not permitting to remove it.

Please help.

Thanks,

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Karsten Iwen
VIP
VIP

‎05-18-2015 03:42 AM

The Management-Port of the 5545-X can't be configured as a data-port like on older ASAs. It's always "management-only".

The easy way to configure it is:

1) only use the management-port for the CX-module and manage the ASA through the inside interface.

2) Connect the management-port to the inside network (that's why the ASA itself won't have an IP on m0/0) and configure CX with an IP from the inside network. Point the CX-default-route to your L3-switch in the inside-network or to the inside-IP of the ASA if you don't have an internal L3-switch.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Karsten Iwen
VIP
VIP

‎05-18-2015 03:42 AM

The Management-Port of the 5545-X can't be configured as a data-port like on older ASAs. It's always "management-only".

The easy way to configure it is:

1) only use the management-port for the CX-module and manage the ASA through the inside interface.

2) Connect the management-port to the inside network (that's why the ASA itself won't have an IP on m0/0) and configure CX with an IP from the inside network. Point the CX-default-route to your L3-switch in the inside-network or to the inside-IP of the ASA if you don't have an internal L3-switch.

0 Helpful

Go to solution
fatalXerror
Level 5
Level 5
In response to Karsten Iwen

‎05-19-2015 05:50 AM

Hi Karsten,

Good Day!

How about the updates of the CX, it can pass through the inside network?

Thanks

0 Helpful

Go to solution
Karsten Iwen
VIP
VIP
In response to fatalXerror

‎05-19-2015 06:08 AM

Yes, CX is connected to the ASA-inside-network. The default-gateway of CX has to point to a next-hop that can reach the rest of the network. That should be the case with the connected IP of the inside L3-switch. If there is no L3-switch, the ASA-inside interface would be the next-hop for CX-traffic.

You have to think about the CX as an individual host on the network that has it's own settings.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card