I have a quick question that I'm having trouble getting to work. I have a 3 pairs of ASA and have setup a network for the all their management interface. This network only reside within the Firewalls and I want anyone that access that network to manage those firewalls to go throught the firewall. So I was wondering if its possiable to allow connection originating from the inside to allow the connections to the mgt. interface? Having a little trouble getting this to work. (Mangement interfaces off in their own DMZ and can only access the mgt. network through FW. Inside has secutiry level of 100 and the mgt. network has security level 100 and I/m allowing traffic to pass thorugh interfaces with the same security level.)
Management port can only pass traffic and act as ethernet port if you have a security plus license,
In case you do have a security plus license, add a command no man-only from interface man0/0
I've got that command but It dosn't seem to help. Because I'm migrating from CheckPoint FWs to ASA the mgt network lives through the checkpoint and once the checkpoints get phased out we'll just have the ASA. While I'm doing parralel testing I've created did some PBR to force source traffic for test machines through the ASA. The only problem with this is everything works fine but just can't manage the ASA because the ASA recieve the traffic on its inside interface and it can't switch it over to the mgt. interface. I'm not sure if it just isn't switching it over or if the mgt. int. recieves it and don't know what do do with it.
ok so you have a security plus license..?
you need access from inside to DMZ both at same security level..firstly tell me is it possible for you to lower the security level of management to 99 or lower ? if yes then let me know n I can suggest you the required config...
Yes I can. I set it to 99. I did have allow interfaces with the same security level to flow between eachother. I also still have my ACLs to allow the traffic to and from my host to the management IP.
x.x.x.x-->host/subnet on inside
add access-l on dmz to permit the traffic through to inside (open icmp any any as well)
now try to ping a server on dmz from inside,
I don't have a server on that LAN its just the ASA mgt interface. I did do that and I tried to ping with no avil. I wanted to secure this mgt. network and force any traffic to an ASA mgt. network to go through a Firewall.
not clear enough to me..
whats your requirement ?
where would you initiate the traffic from ?
to where ?
from where did you try to ping ? from inside host to management interface ?
My reqirement is to only allow access to the ASA's mgt. interface via through the ASA so that that traffis is inspected and secured network.
Traffic would initate from the inside to the management Interface and back through the insid einterface. I attached a .vsd if you want to look at the setup.
I tried to ping from inside host to the mgt. interface. I do however have a CSM on that network but his Gateway is set to the Checkpoint firewall because the mgt. network currenly exist thorugh them. So I dind't want to ping that host because I knew that even if the traffic got routed over to the mgt. interface it would go back the other way(Async Routing)
Her eis a vsd I put together real quick to kind of give you an idea on how its setup.
Assymetrical Routing not supported on ASA in single context
what you are trying to achieve is traffic from inside go through the management however the return reply hits the inside which is not possible because of stateful behaviour
I would like to have a host 10.x.x.x be able to go through the inside interface of the ASA to get to the mgt. Interface of that same ASA and then the return traffic go back out the same way it came in.
inside to >>>> Mgt Interface.
Mgt. Interface to >>>>inside.
int man 0/0
static (inside, management) 10.x.x.x 10.x.x.x
see if this works !
That didn't seem to work. When I do a debug ICMP trace while I ping the mgt interface I just see the request and never a reply. I have allowed the host to ping all interfaces.
ICMP echo request from 10.x.x.202 to 10.x.x.70 ID=768 seq=34563 len=32
ip address 10.x.x.70 255.255.255.0 standby 10.x.x.71
icmp permit 10.x.x.0 255.255.255.0 management
static (Inside,management) 10.x.x.202 10.x.x.202 netmask 255.255.255.255
route Inside 10.x.x.202 255.255.255.255 10.x.203.6
I also have an ACL applied to allow all IP from 10.x.x.0/24 to mgt. on the inside.
access-l mgmt permit icmp any any
access-g mgmt in interface management
see if you get a ping reply back
Nope.. I'm thinking I'm going to create a new private VLAN and place these mgt. interface in this vlan mainly because there is a potentioal to have other device on this vlan for our CRO team. Or do you think what I'm trying to do should work?
access-list mgmt permit icmp any any
access-group mgmt in interface management
ICMP echo request from 10.250.3.202 to 10.250.200.70 ID=768 seq=34564 len=32
ICMP echo request from 10.250.3.202 to 10.250.200.70 ID=768 seq=34820 len=32
ICMP echo request from 10.250.3.202 to 10.250.200.70 ID=768 seq=35076 len=32
ahhhhh..are you trying to ping management interface ??? If yes then you would NEVER be able to ping management interface (thats by design)
But if you try to ping a host connected to management interface from a host on inside you must get a response back
Ok, but when I have it not routing through the ASA to get to the Mgt. Interface I do get Pings back.
yes in that case it will work..
see if you don't have the icmp request passing through the ASA to hit the management interface in that case you are just pinging a host connected far end..which is allowed
However you can't ping INDIRECTLY connected INTERFACES through ASA
let me search a link that explaines this
Oh yea! I remember that.. That is back in the days with the PIX to. Can't ping through the device to its attached interface...but can ping through it to host at other end. Although I can't hit the device via SSH or https.. Does it apply to them as well?