cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
13462
Views
20
Helpful
14
Replies

Cisco ASA in Transparent Mode Management

phmazzoni
Level 1
Level 1

Hello,

I know that the Cisco ASA Transparent Mode implementation requires a management IP Address in order to pass traffic:

"For IPv4, a management IP address is required for both management traffic and for traffic to pass

through the adaptive security appliance. For multiple context mode, an IP address is required for

each context."

But is also supported to configure a dedicated management interface:

"You can configure an IP address (both IPv4 and IPv6) for the Management 0/0 or Management 0/1

management-only interface. This IP address can be on a separate subnet from the main management

IP address."

The question is:

In a multiple context mode with a transparent mode setup, if a dedicated management interface is configured per context, it is still necessary to configure a management IP on the same subnet of the Inside/Outside interfaces to allow the traffic to pass?

Thanks in advance,
Pedro Mazzoni

3 Accepted Solutions

Accepted Solutions

Hi Pedro,

It is possible to do it:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/fwmode.html#wp1202704

"The transparent security appliance uses an inside  interface and an outside interface only. If your platform includes a  dedicated management interface, you can also configure the management  interface or subinterface for management traffic only."

Hope that helps!!

Cheers,

Prapanch

View solution in original post

My pleasure. Please mark this post as answered if there is nothing further.

View solution in original post

Hi Pedro,

Unfortunately, it's not possible to share interfaces in transparent mode:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008089f467.shtml#guide

"For multiple context mode, each context must use  different           interfaces; you cannot share an interface across contexts."

Cheers,

Prapanch

View solution in original post

14 Replies 14

praprama
Cisco Employee
Cisco Employee

Hi,

It is recommended to have managment IP for a transparent firewall (or a context) in the same subnet that it lies in. This is used for traffic sourced from the firewall like syslogs, AAA, etc. Also, please look the below link:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008089f467.shtml#inside

"If the destination MAC address is not in the       security appliance table, the security appliance attempts to discover  the MAC       address when it sends an ARP request and a ping. The first packet is  dropped."

So the ping that it sends to discover the MAC address of the next hop will be with a source IP address as the management IP that we have configured.

Again, even if we do not have this IP address or if we have it in a different subnet, things might still work fine but we might run into some unknown problems. Hope this helps.

All the best!!

Thanks and Regards,

Prapanch

OK Prapanch, thanks for the reply.

As far as I understood it, please correct me if I am wrong, even if I do NOT configure a global IP address for a context in the same subnet of the connected subnet, and only configure a dedicated physical "out of band" management interface, like management0/0, things might still work.

The questions are:

1 - The IP packets generated from ASA will be sourced with the management IP?

2 - Is it possible to use the management interface for the "ASA generated" packets, like AAA, syslog and NTP?

3 - You wrote that "things might still work". Could you please detail it? Which "things" will work and which not?

Thanks in advance!

Pedro Mazzoni

Hi Pedro,

> even if I do NOT configure a global IP address for a context in the same  subnet of the connected subnet, and only configure a dedicated physical  "out of band" management interface, like management0/0, things might still work

I think the important word above is might as i have bolded out. I have never tried this out but my guess is that there will be issues passing traffic through the ASA as i said in the last mail about the ARP request and the ping which will not work fine.

> 2 - Is it possible to use the management interface for the "ASA  generated" packets, like AAA, syslog and NTP?

This, i think, is not possible. The ASA will use the global management IP address for such traffic. The management interface is used only for remote management of the ASA.

> 3 - You wrote that "things might still work". Could you please detail  it? Which "things" will work and which not?

I can not be sure of what will work and where you will face problems. I have just seen in some instances where in the management IP is in a different subnet and still things were working smoothly (though some issues did come up later on). hence, my suggestion will be to have a management IP for the transparent firewall as the configuration guide says.

An importnat thing i wanted to get to your notice was:

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/fwmode.html#wp1201980

In transparent firewall mode, the management  interface updates the MAC address table in the same manner as a data  interface; therefore you should not connect both a management and a data  interface to the same switch unless you configure one of the switch  ports as a routed port (by default Cisco Catalyst switches share a MAC  address for all VLAN switch ports). Otherwise, if traffic arrives on the  management interface from the physically-connected switch, then the  adaptive security appliance updates the MAC address table to use the management interface to access the switch,  instead of the data interface. This action causes a temporary traffic  interruption; the adaptive security appliance will not re-update the MAC  address table for packets from the switch to the data interface for at  least 30 seconds for security reasons.

Hence to conclude, management IP is a must for the transparent firewall even if we have a dedicated management interface. The management interface is used only for remote management of the firewall.

Regards,

Prapanch

Thanks again Prapanch!

So the ASA originated packets(AAA,Syslog,...) will have the global management IP source address, and not the management interface address.

Just one more question, do you think it is possible to route the AAA originated traffic(AAA,Syslog,...) through the management interface, even if those packets are formed with the global management IP source address?

Regards,

Pedro Mazzoni

Hi,

I would assume that if the AAA/syslog servers are routed out thourgh the management interface, then it might work this way.

regards,

Prapanch

Hello,

When working in transparent mode with multiple context configuration it is possible to allocate at most 2 interfaces per context:

ERROR: You can allocate at most (2) data interfaces to a context

But is it possible to allocate dedicated management interfaces to contexts?

i.e.:

interface management 0/0.1 : Admin Context MANAGEMENT(management-only)

interface management 0/0.2 : Context 1 MANAGEMENT(management-only)

interface management 0/0.3 : Context 2 MANAGEMENT(management-only)

interface gi 3/0 : Context 1 INSIDE

interface gi 3/1 : Context  OUTSIDE

interface gi 3/2 : Context 1 INSIDE

interface gi 3/3 : Context  OUTSIDE

Thanks in advance,

Pedro Mazzoni

Hi Pedro,

It is possible to do it:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/fwmode.html#wp1202704

"The transparent security appliance uses an inside  interface and an outside interface only. If your platform includes a  dedicated management interface, you can also configure the management  interface or subinterface for management traffic only."

Hope that helps!!

Cheers,

Prapanch

Thanks Prapanch!

My pleasure. Please mark this post as answered if there is nothing further.

Just one more question, when working with multiple context in transparent mode, can I share the management interface or I will have to create the subinterfaces?

Hi Pedro,

Unfortunately, it's not possible to share interfaces in transparent mode:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008089f467.shtml#guide

"For multiple context mode, each context must use  different           interfaces; you cannot share an interface across contexts."

Cheers,

Prapanch

vijay1926
Level 1
Level 1

In  ASA transparent mode, Why it is necessary to keep management ip in the same subnet to that of connected network?

what if I keep management ip in diffrent subnet than that of connected network?

If I do so does the traffic move through the asa and why?

thanxs.

Hello Vijay,

As you say you can use another one, That's correct but the thing is that the management IP is not only used for management purporses.

That's were you are missing the point.

That IP address assigned to the ASA as a whole will also be used for ARP requests when the ASA does not know where the destination hosts lies and it's not on the same subnet than the ASA.

It will also be used as a source for packets going to a syslog server, AAA server, Netflow server, SNMP server and any packet that the ASA will need to create so with that in mind the routing of the network will need to be changed to work with this.

If you get to accomplish that the routing of the network works with a different Management IP address on the transparent address then you can do it. I can ensure you I have seen this scenario before working with no issues at all bud.

Just to remember rate all of the helpful posts like this one

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

thanx jcarvaja

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: