Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Issue with Management Port

How everyone

I hope you can help me with one issue I´m having with a new ASA 5512 with CX.

I´m trying to configure access to the management port on the ASA from one sub-network that had different IP addressing. I´m doing this, because my ASA does not allow me to disable the management only option of the port.

theres´s a way to do this?

Also, I´m not sure about changing the management network to other physical port on the ASA, because I´m unable to access the Primer Security Module from other port than the Management.

I have basic configuration.

Ip address with same security level on all the logical interfaces, also, I allowed traffic between same security level interfaces, and apply an ACL that allow all traffic between interfaces except the outside interface.

I hope you can help me with this.

Best Regards

Alvaro Rugama Cerda

Everyone's tags (7)
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Silver

Issue with Management Port

The gateway address needs to be a downstream L3 device. Even if the traffic flows back through the ASA, that device needs to make that determination.

Typically you will have the management interface with an IP address in a given subnet with the gateway for that subnet on some internal router (or layer 3 SVI on an internal switch). That router or switch can route the traffic to/from the ASA management port as required if you put the static route on the ASA management port.

Please see the figures in the Configuration Guide here for more detail.

Is the ASA the only L3 device on your network? If so, you may need to explore some other options which we can suggest if that is the case.

5 REPLIES
Hall of Fame Super Silver

Issue with Management Port

Since the 5500-X series does not allow traffic coming through the box to go into the management port address directly, you need to put a static route in place on the management interface:

     route management <dest_ip>

Community Member

Issue with Management Port

Hi Mr. Rhoads

I tried this right now, didn´t work, because I can not add a static route pointing a network that the ASA already knows.

Just to clarify, this ASA has 6 ports that can manage traffic, plus the management port. I´m trying to access the Prime Security Module that can only be accessed from the management from the network that is attach to port 1.

When I add that static route on the management port I received the error message:

%Invalid next hop address, it belongs to one of our interfaces"

Another tip that can help me?

Best Regards

Alvaro Rugama Cerda

Hall of Fame Super Silver

Issue with Management Port

The gateway address needs to be a downstream L3 device. Even if the traffic flows back through the ASA, that device needs to make that determination.

Typically you will have the management interface with an IP address in a given subnet with the gateway for that subnet on some internal router (or layer 3 SVI on an internal switch). That router or switch can route the traffic to/from the ASA management port as required if you put the static route on the ASA management port.

Please see the figures in the Configuration Guide here for more detail.

Is the ASA the only L3 device on your network? If so, you may need to explore some other options which we can suggest if that is the case.

Community Member

Issue with Management Port

Thank you for your help, now I´m cleared about that....

I have an SG500 that connects directly to my ASA, maybe I can use it to access the CX module.

Just one more question.

All my sub-networks need to have as gateway the SG500? or just the management network?

Thank you for the info again

Best Regards

Alvaro Rugama Cerda

Hall of Fame Super Silver

Issue with Management Port

Glad that helped. Thanks for the rating.

I can't answer your follow-on question accurately without seeing a lot more detail of the rest of your setup. There a lot of dependencies that influence how you should setup routing and more than one correct answer (along with lots of incorrect ones!).

396
Views
0
Helpful
5
Replies
CreatePlease to create content