07-29-2014 12:42 PM - edited 03-11-2019 09:33 PM
I'm confused as to why I can't access the management address for my ASA from a separate VLAN.
I have configured a specific management vlan as 10.10.190.0/24.
I have a user vlan: 10.10.190.0/24. The security levels are the same. When my laptop is connected to the management VLAN, I can access the ASA management IP fine via SSH & ASDM.
When I'm in my HOME vlan, I can access all management devices in the management VLAN except for the ASA interface.
Is there a setting that disables accessing the ASA interface from another VLAN, even with the firewall policy allows it?
07-29-2014 01:52 PM
It usually comes down to the ASA's routing. It's a poor router and can easily get confused if you are trying to reach a connected network (i.e., the management interface) having come into the ASA via any other interface. By default it will try (and fail) to route that traffic "through" the appliance itself. If that's the case you can use a work around of a static route for the management address (/32) via the insiude network gateway. That way the more specific route will take precedence.
07-29-2014 02:13 PM
I don't think it's a routing issue - the management interface is completely disabled and I have a dedicated VLAN for all management devices.
The management server is enabled on that VLAN interface. If it was a routing issue, then I would imagine I would be unable to get to the other devices in the management VLAN from my workstation in the alternative VLAN.
I could be wrong though, I'll take another look at the routing configuration. Thanks!
07-29-2014 02:20 PM
Sorry - when you said "management address for my ASA" I assumed you meant the management interface.
You can always check how traffic flows (or fails to flow) through an ASA using the packet-tracer command.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: