Cisco Support Community
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

MGMT interface on Cisco ASA 5520

Can someone tell me what best practice is for the management interface on the asa platform? I had to disable the interface as it was attempting to route traffic during normal operation.

I thought that management-only meant that only specific traffic (http, ssl. snmp, etc.) coming from specific management workstations was allowed. I didn't expect the interface to try to pass traffic through. Is this "bad" behavior on the part of my man0/0 port, or is this normal?

Is there any way I can prevent the man0/0 interface from trying to route traffic? Or am I just stuck with having to disable man0/0 during normal operation?



Re: MGMT interface on Cisco ASA 5520


The management-only option is used to allow management access to the ASA only. This means that only allows traffic terminating at the interface. When an interface is configured as management-only that interface can't be used for forwarding traffic from one interface to another.

You should be able to use the management interface for management purposes only without affecting the normal traffic which traverses the other interfaces !!!

Just make sure the m0/0 interface has indeed the command management-only on it.

I hope it helps .. please rate it if it does !!

Community Member

Re: MGMT interface on Cisco ASA 5520

the m0/0 interface does in fact have management-only applied, however it would appear when I use the packet tracer utility it tries to route traffic via this interface (as it sees the shared management network as directly connected) instead of back through the proper path. It would seem that having the ASA appliance directly connected to a shared network may not be the proper method. Perhaps I am better suited to create a small network that the ASA appliances only sit in for management, instead of other devices such as HP iLo cards and DRAC cards which required FW access for AD intergration, etc.

CreatePlease to create content