Re: Management port on ASA

p21 · ‎03-04-2009

I have the mgmt0/0 port set up on my ASA for mamanement-only. (ip address 192.168.1.1/24) All works fine if I connect to it from a PC on 192.168.1.0/24 range. If I try to connect from a PC outside this range I cannot connect. The ASA tries to send the return traffic to my remote PC via the inside interface as this is where the route is. And since this return packet is for an established connection that did not come in on the inside interface, I presume the ASA drops it. If this port is acting like a host device should there not be a default route command specific to that interface.

Ivan Martinon · ‎03-04-2009

If your management port has the "management only" keyword traffic will not be treated as normal traffic hence not forwarded accordingly.

p21 · ‎03-04-2009

I have the management-only command on the interface so maybe the traffice does not try to go back via the "inside" interface but how should get back to a host that is not on the 192.168.1.X/25 subnet? In this case my managemant PC is on a 10.1.0.X address and this subnet is the other side of a router to the 192.168.1.X/24 subnet. I cannot connect to my management address once I am off the 192.168.1.X subnet. Is there not a default gateway command specific to the management interface so it is treated like an independent host on the LAN. ie nothing to do with the internal routing of the ASA.

maldavis3697 · ‎03-19-2009

I am having the exact same problem with an ASA we are deploying on the network tonight...did you ever figure out how to get around the issue?

Thanks!

p21 · ‎03-19-2009

All I have figured out so far it that it seem to work fine if you are using NAT, I.E. the managemnt traffic will return via the mgmt interface and the internet will return via inside interface. The problem is I am not using NAT on my ASA and I think that is the problem. No connection tracking or something like that.

maldavis3697 · ‎03-20-2009

Ok, that helps because we are using NAT. Thanks for the reply. :)