Can ping ASA5510 management0/0, but can't telnet or https to it

gwhuang5398 · ‎09-09-2009

ASA5510 is connceted as the following:

outside -- WAN router. (security level 0)

dmz -- DMZ switch. (security level 50)

inside -- Core switch Vlan 10. (security level 100)

management -- Core switch Vlan100. (security level 100)

int management0/0

nameif management

security-level 100

ip address 10.10.100.2 255.255.255.0

management-only

management-access management

http server enable

http 10.10.0.0 255.255.0.0 management

telnet 10.10.0.0 255.255.0.0 management

I can ping and telnet from internal hosts to outside routers, and DMZ hosts. I can also ping from internal to ASA management port, but can't telnet or https to the management interface.

What could be the reasons? How does ASA know it should direct internal management traffic through the management port instead of the inside port?

Thanks a lot

m.reay · ‎09-09-2009

you need to configure telnet and http access from the inside interface.

http 10.10.0.0 255.255.0.0 management

telnet 10.10.0.0 255.255.0.0 management

the above commands allow http and telnet access from hosts on the 10.10.0.0/16 network coming from the management interface.

you need similar to allow hosts acces from the inside interface

eg telnet n.n.n.n m.m.m.m inside

gwhuang5398 · ‎09-09-2009

Thanks. I know "http 10.10.0.0 255.255.0.0 inside" and "

telnet 10.10.0.0 255.255.0.0 inside" works if I telnet or https from internal to ASA inside interface.

My confusion is if I have to do "telnet n.n.n.n m.m.m.m inside", what's the purpose of having a management interface? I can just use inside interface as the management address.

Thanks

m.reay · ‎09-10-2009

thats ur decision - but using the management-interface command is the only way to ping or telnet thru the asa

dcambron · ‎09-10-2009

Change

http 10.10.0.0 255.255.0.0 management

telnet 10.10.0.0 255.255.0.0 management

for

http 10.10.0.0 255.255.0.0 INSIDE

telnet 10.10.0.0 255.255.0.0 INSIDE

If the source is in the side and 10.10.0.0 is in the inside

http

telnet

gwhuang5398 · ‎09-10-2009

Thanks all for the help. I'll just use telnet internal-networks INSIDE, instead of telnet .... management. I can pretty much just shut down the management0/0 port, since I can't use it for telnet or ssh or http.

I'm just wondering what can make management0/0 work as a true out of band management interface. I couldn't find a good example from any Cisco documentations.

Thanks again.

apdatasoft · ‎09-11-2009

Hi gwhuang5398,

but have you done the routing on the Management interface. Does the ASA understand on what IPs will you be using to access the ASA over management interface.

Regards

AP

gwhuang5398 · ‎09-11-2009

Good question. I thought about that too but didn't come up with a good colution.

I'm running OSPF between ASA inside and core switch, pretty straight forward. So ASA knows all intrenal networks through the inside interface.

ASA mamagement0/0 is directly cabled to core switch, in a different vlan. I have tried put management0/0 into the OSPF and not into OSPF. Either case, seems ASA always tried to return traffic back to internal networks through the inside interface. If that's the reason " telnet or http . . . . management" didn't work, I may have to specify a static route on the ASA so that management traffic to internal "management subnet" goes through management0/0. So far I was unwilling to limit it just to the "management subnets".

Does it make sense to you?

Thanks

apdatasoft · ‎09-11-2009

Hi gwhuang,

great!!! you have the answer for yourself and simple static route on the management interface specific to the management IPs does the job.

I hope i am not wrong with the conclusion i did..

Cheers

AP