09-09-2009 08:06 AM - edited 03-11-2019 09:13 AM
ASA5510 is connceted as the following:
outside -- WAN router. (security level 0)
dmz -- DMZ switch. (security level 50)
inside -- Core switch Vlan 10. (security level 100)
management -- Core switch Vlan100. (security level 100)
int management0/0
nameif management
security-level 100
ip address 10.10.100.2 255.255.255.0
management-only
management-access management
http server enable
http 10.10.0.0 255.255.0.0 management
telnet 10.10.0.0 255.255.0.0 management
I can ping and telnet from internal hosts to outside routers, and DMZ hosts. I can also ping from internal to ASA management port, but can't telnet or https to the management interface.
What could be the reasons? How does ASA know it should direct internal management traffic through the management port instead of the inside port?
Thanks a lot
09-09-2009 08:18 AM
you need to configure telnet and http access from the inside interface.
http 10.10.0.0 255.255.0.0 management
telnet 10.10.0.0 255.255.0.0 management
the above commands allow http and telnet access from hosts on the 10.10.0.0/16 network coming from the management interface.
you need similar to allow hosts acces from the inside interface
eg telnet n.n.n.n m.m.m.m inside
09-09-2009 06:31 PM
Thanks. I know "http 10.10.0.0 255.255.0.0 inside" and "
telnet 10.10.0.0 255.255.0.0 inside" works if I telnet or https from internal to ASA inside interface.
My confusion is if I have to do "telnet n.n.n.n m.m.m.m inside", what's the purpose of having a management interface? I can just use inside interface as the management address.
Thanks
09-10-2009 03:14 AM
thats ur decision - but using the management-interface command is the only way to ping or telnet thru the asa
09-10-2009 06:49 AM
Change
http 10.10.0.0 255.255.0.0 management
telnet 10.10.0.0 255.255.0.0 management
for
http 10.10.0.0 255.255.0.0 INSIDE
telnet 10.10.0.0 255.255.0.0 INSIDE
If the source is in the side and 10.10.0.0 is in the inside
http
telnet
09-10-2009 07:24 PM
Thanks all for the help. I'll just use telnet internal-networks INSIDE, instead of telnet .... management. I can pretty much just shut down the management0/0 port, since I can't use it for telnet or ssh or http.
I'm just wondering what can make management0/0 work as a true out of band management interface. I couldn't find a good example from any Cisco documentations.
Thanks again.
09-11-2009 05:48 AM
Hi gwhuang5398,
but have you done the routing on the Management interface. Does the ASA understand on what IPs will you be using to access the ASA over management interface.
Regards
AP
09-11-2009 06:18 AM
Good question. I thought about that too but didn't come up with a good colution.
I'm running OSPF between ASA inside and core switch, pretty straight forward. So ASA knows all intrenal networks through the inside interface.
ASA mamagement0/0 is directly cabled to core switch, in a different vlan. I have tried put management0/0 into the OSPF and not into OSPF. Either case, seems ASA always tried to return traffic back to internal networks through the inside interface. If that's the reason " telnet or http . . . . management" didn't work, I may have to specify a static route on the ASA so that management traffic to internal "management subnet" goes through management0/0. So far I was unwilling to limit it just to the "management subnets".
Does it make sense to you?
Thanks
09-11-2009 06:32 AM
Hi gwhuang,
great!!! you have the answer for yourself and simple static route on the management interface specific to the management IPs does the job.
I hope i am not wrong with the conclusion i did..
Cheers
AP
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: