Can someone tell me what best practice is for the management interface on the asa platform? I had to disable the interface as it was attempting to route traffic during normal operation.
I thought that management-only meant that only specific traffic (http, ssl. snmp, etc.) coming from specific management workstations was allowed. I didn't expect the interface to try to pass traffic through. Is this "bad" behavior on the part of my man0/0 port, or is this normal?
Is there any way I can prevent the man0/0 interface from trying to route traffic? Or am I just stuck with having to disable man0/0 during normal operation?
The management-only option is used to allow management access to the ASA only. This means that only allows traffic terminating at the interface. When an interface is configured as management-only that interface can't be used for forwarding traffic from one interface to another.
You should be able to use the management interface for management purposes only without affecting the normal traffic which traverses the other interfaces !!!
Just make sure the m0/0 interface has indeed the command management-only on it.
the m0/0 interface does in fact have management-only applied, however it would appear when I use the packet tracer utility it tries to route traffic via this interface (as it sees the shared management network as directly connected) instead of back through the proper path. It would seem that having the ASA appliance directly connected to a shared network may not be the proper method. Perhaps I am better suited to create a small network that the ASA appliances only sit in for management, instead of other devices such as HP iLo cards and DRAC cards which required FW access for AD intergration, etc.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...