I have the mgmt0/0 port set up on my ASA for mamanement-only. (ip address 192.168.1.1/24) All works fine if I connect to it from a PC on 192.168.1.0/24 range. If I try to connect from a PC outside this range I cannot connect. The ASA tries to send the return traffic to my remote PC via the inside interface as this is where the route is. And since this return packet is for an established connection that did not come in on the inside interface, I presume the ASA drops it. If this port is acting like a host device should there not be a default route command specific to that interface.
I have the management-only command on the interface so maybe the traffice does not try to go back via the "inside" interface but how should get back to a host that is not on the 192.168.1.X/25 subnet? In this case my managemant PC is on a 10.1.0.X address and this subnet is the other side of a router to the 192.168.1.X/24 subnet. I cannot connect to my management address once I am off the 192.168.1.X subnet. Is there not a default gateway command specific to the management interface so it is treated like an independent host on the LAN. ie nothing to do with the internal routing of the ASA.
All I have figured out so far it that it seem to work fine if you are using NAT, I.E. the managemnt traffic will return via the mgmt interface and the internet will return via inside interface. The problem is I am not using NAT on my ASA and I think that is the problem. No connection tracking or something like that.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :