09-16-2008 03:03 PM - edited 03-11-2019 06:45 AM
Hi All,
I have an ASA 5520, it's outside interface is connected to the internet, and it's inside interface is configured to sub-interfaces, each sub-interface has a different security level.
the ASA is connected to a switch which has a management ip in vlan 2.
my case is that i need to enable network to manage the switches behind that firewall.
Are there any ideas???
Solved! Go to Solution.
09-16-2008 04:11 PM
Example for public internet:
You have a switch with management ip of 172.16.1.2, and a host on the internet at 10.2.1.1 that is going to "manage" your switch.
The PIX/ASA will be NATing the switch so that the public host can reach it (NATing to 10.1.1.2), and it will only allow that host to reach it.
Here's the example config...
interface Ethernet0/0.2
vlan 2
description Inside Data Network
nameif inside
security-level 100
ip address 192.168.90.1 255.255.255.0
interface Ethernet0/0.3
vlan 3
description Management Network
nameif management
security-level 20
ip address 172.16.1.1 255.255.0.0
interface Ethernet0/1
description Outside (Public) Network
nameif outside
security-level 0
ip address 10.1.1.1 255.0.0.0
(general snmp)
access-list inbound extended permit udp host 10.2.1.1 host 10.1.1.2 255.0.0.0 eq 161
(snmp traps)
access-list inbound extended permit udp host 10.2.1.1 host 10.1.1.2 255.0.0.0 eq 162
(ssh)
access-list inbound extended permit udp host 10.2.1.1 host 10.1.1.2 255.0.0.0 eq 22
access-group inbound in interface outside
static (management,outside) 10.1.1.2 172.16.1.2 netmask 255.255.255.255
(or if you are more paranoid about security, only forward the ports you are going to use)
static (management,outside) udp 10.1.1.2 161 172.16.1.2 161 netmask 255.255.255.255
static (management,outside) udp 10.1.1.2 162 172.16.1.2 162 netmask 255.255.255.255
static (management,outside) udp 10.1.1.2 22 172.16.1.2 22 netmask 255.255.255.255
----------------------------------------------------
Example for management from your inside network:
You have a switch with management ip of 172.16.1.2, and a host on the inside network at 192.168.90.2 that is going to "manage" your switch.
The PIX/ASA will be not be doing any NATing between the two networks in this case.
Here's the example config...
interface Ethernet0/0.2
vlan 2
description Inside Data Network
nameif inside
security-level 100
ip address 192.168.90.1 255.255.255.0
interface Ethernet0/0.3
vlan 3
description Management Network
nameif management
security-level 20
ip address 172.16.1.1 255.255.0.0
interface Ethernet0/1
description Outside (Public) Network
nameif outside
security-level 0
ip address 10.1.1.1 255.0.0.0
access-list nonat extended permit ip 192.168.90.0 255.255.255.0 172.16.0.0 255.255.0.0
(to allow your switch to send syslog output to your management host)
access-list management extended permit udp any host 192.168.1.2 eq 514
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.90.0 255.255.255.0
static (inside,management) 192.168.90.0 192.168.90.0 netmask 255.255.255.0
09-16-2008 04:11 PM
Example for public internet:
You have a switch with management ip of 172.16.1.2, and a host on the internet at 10.2.1.1 that is going to "manage" your switch.
The PIX/ASA will be NATing the switch so that the public host can reach it (NATing to 10.1.1.2), and it will only allow that host to reach it.
Here's the example config...
interface Ethernet0/0.2
vlan 2
description Inside Data Network
nameif inside
security-level 100
ip address 192.168.90.1 255.255.255.0
interface Ethernet0/0.3
vlan 3
description Management Network
nameif management
security-level 20
ip address 172.16.1.1 255.255.0.0
interface Ethernet0/1
description Outside (Public) Network
nameif outside
security-level 0
ip address 10.1.1.1 255.0.0.0
(general snmp)
access-list inbound extended permit udp host 10.2.1.1 host 10.1.1.2 255.0.0.0 eq 161
(snmp traps)
access-list inbound extended permit udp host 10.2.1.1 host 10.1.1.2 255.0.0.0 eq 162
(ssh)
access-list inbound extended permit udp host 10.2.1.1 host 10.1.1.2 255.0.0.0 eq 22
access-group inbound in interface outside
static (management,outside) 10.1.1.2 172.16.1.2 netmask 255.255.255.255
(or if you are more paranoid about security, only forward the ports you are going to use)
static (management,outside) udp 10.1.1.2 161 172.16.1.2 161 netmask 255.255.255.255
static (management,outside) udp 10.1.1.2 162 172.16.1.2 162 netmask 255.255.255.255
static (management,outside) udp 10.1.1.2 22 172.16.1.2 22 netmask 255.255.255.255
----------------------------------------------------
Example for management from your inside network:
You have a switch with management ip of 172.16.1.2, and a host on the inside network at 192.168.90.2 that is going to "manage" your switch.
The PIX/ASA will be not be doing any NATing between the two networks in this case.
Here's the example config...
interface Ethernet0/0.2
vlan 2
description Inside Data Network
nameif inside
security-level 100
ip address 192.168.90.1 255.255.255.0
interface Ethernet0/0.3
vlan 3
description Management Network
nameif management
security-level 20
ip address 172.16.1.1 255.255.0.0
interface Ethernet0/1
description Outside (Public) Network
nameif outside
security-level 0
ip address 10.1.1.1 255.0.0.0
access-list nonat extended permit ip 192.168.90.0 255.255.255.0 172.16.0.0 255.255.0.0
(to allow your switch to send syslog output to your management host)
access-list management extended permit udp any host 192.168.1.2 eq 514
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 192.168.90.0 255.255.255.0
static (inside,management) 192.168.90.0 192.168.90.0 netmask 255.255.255.0
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide