Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Access Cisco Management IP from Separate VLAN

I'm confused as to why I can't access the management address for my ASA from a separate VLAN.

I have configured a specific management vlan as 10.10.190.0/24.

I have a user vlan: 10.10.190.0/24. The security levels are the same. When my laptop is connected to the management VLAN, I can access the ASA management IP fine via SSH & ASDM.

When I'm in my HOME vlan, I can access all management devices in the management VLAN except for the ASA interface.

Is there a setting that disables accessing the ASA interface from another VLAN, even with the firewall policy allows it?

 

Everyone's tags (3)
3 REPLIES
Hall of Fame Super Silver

It usually comes down to the

It usually comes down to the ASA's routing. It's a poor router and can easily get confused if you are trying to reach a connected network (i.e., the management interface) having come into the ASA via any other interface. By default it will try (and fail) to route that traffic "through" the appliance itself. If that's the case you can use a work around of a static route for the management address (/32) via the insiude network gateway. That way the more specific route will take precedence.

New Member

I don't think it's a routing

I don't think it's a routing issue - the management interface is completely disabled and I have a dedicated VLAN for all management devices.

The management server is enabled on that VLAN interface. If it was a routing issue, then I would imagine I would be unable to get to the other devices in the management VLAN from my workstation in the alternative VLAN.

I could be wrong though, I'll take another look at the routing configuration. Thanks!

Hall of Fame Super Silver

Sorry - when you said

Sorry - when you said "management address for my ASA" I assumed you meant the management interface.

You can always check how traffic flows (or fails to flow) through an ASA using the packet-tracer command.

111
Views
0
Helpful
3
Replies
CreatePlease login to create content