We use a pair of ASA 5585's in a multimode active/active setup. I'm able to set up and access the management interface for the admin context easily, but I'm having trouble setting up management interfaces for the other contexts. I'm sure I'm missing a fundamental config or understanding...
I am unable to ping the context1 management interface, whereas I can ping (and ssh) to the admin context. One thing that I think might be preventing ping is that Management0/0.1 is assigned to Vlan7. This is an arbitrary VLAN and is not actually running across any links, but the ASA won't let me assign the Management0/0.1 interface to Context1 unless it's configured with a VLAN not already in use (which is by the way frustrating). Then again, in Context1 the Management0.0.1 interface is assigned to the default VLAN, just like in the Admin context, so does that even matter?
I'm sure I'm missing something easy or maybe have a misunderstanding on how to configure management access to the other contexts. This is my first multimode setup. Any help would be appreciated.
FYI - I spoke with someone at Cisco and you have to put each management port that you configure for contexts into a separate VLAN. So, if you have 5 contexts with each having a management port, that's 5 VLANs. Fairly annoying as I'd hoped to keep all management traffic under the same VLAN.
That that said, I think we'll end up just managing the admin context with the management port and manage all the other contexts via the inside IP gig port address.
good information - thanks for sharing your resolution. +5
FYI I tested SNMP by snmpwalking a multi-context firewall. Admin context has only management interface allocated and thus only gives me an ifIndex for that single interface. I had to walk the production context to get an ifIndex (and associated counters) from one of their interfaces.
So, to continue my one-sided conversation I finally figured out how to do this. It IS possible to share the management interface across multiple-contexts on the SAME vlan, despite what the rest of the Internet (or Cisco) says.
You simply need to allococate the main interface, Management0/0, and not the sub-interfaces, to whatever contexts you want to assign a management IP to. You'll notice however that you cannot assign a VLAN to a main interface, but you can with the sub-interfaces, within system.
So with this in mind we can assume the main interface, Management0/0, will operate on VLAN 1 since we can't assign it to a different vlan. In my case we needed management traffic to traverse VLAN 199. All I did to remedy this is make sure the switch port Management0/0 connected to was configured as an Access Port on VLAN 199. Viola, everything works.
Hope this information is useful to others. I know many people just use the inside interface of each context to manage it, but I think using the management interface (and subnet) for management purposes across all contexts is cleaner.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...