Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)

Management interface

I've configured the management interface on our ASA 5550. The address is 192.168.254.5 and it's next hop is .1 (vlan 254 on 3750).

I can ping the management interface fine from my laptop (10.128.100.75), but I can't telnet to the device on the management interface and it gives the following error:

%ASA-6-110003: Routing failed to locate next hop for TCP from management:192.168.254.5/23 to management:John-Blakley/2223

I can't add the route as "route management 10.128.100.0 255.255.255.0 192.168.254.1" because it says that it overlaps with an existing route. The 10.128.100.0 subnet will be exiting out of the inside interface.

What have I missed?

Thanks,

John

HTH, John *** Please rate all useful posts ***
1 ACCEPTED SOLUTION

Accepted Solutions
Hall of Fame Super Blue

Re: Management interface

John

You could try adding a specific route for your laptop out of the management interface but then that would break your Internet access from your laptop.

Problem is telnet is stateful TCP - so the packet enters the ASA on the management interface but then the ASA cannot find a route back to your laptop via that same interface so it drops it.

Jon

3 REPLIES
Hall of Fame Super Blue

Re: Management interface

John

You could try adding a specific route for your laptop out of the management interface but then that would break your Internet access from your laptop.

Problem is telnet is stateful TCP - so the packet enters the ASA on the management interface but then the ASA cannot find a route back to your laptop via that same interface so it drops it.

Jon

Re: Management interface

Jon,

I figured out that I won't be able to do that. I guess having a management interface on a different subnet means that you should have a system on that same subnet dedicated for that purpose alone.

Thanks!

John

HTH, John *** Please rate all useful posts ***
Community Member

Re: Management interface

I'm not sure if this is workable in your situation but if your IT department works on a particular subnet that's smaller than the 10.128.100.0/24 subnet you could put that in to exit the management interface.

We had a similar problem with setting up our management interface on our ASA recently. We have a route through the inside interface that was for 10.0.0.0/8 but we were also able to put in a smaller subnet (10.10.5.0/28) to exit the management interface just for the IT department. It might be a good idea to define a route for a smaller subnet to the IT department anyways as a security precaution.

This worked for us and then traffic that went in the management interface knew how to get back out. I didn't get the exact error you got but then I didn't try to telnet to the ASA. Let me know if this works for you. :)

433
Views
0
Helpful
3
Replies
CreatePlease to create content