Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

Traffic Flow from ASA to Server

 

Hi Everyone,

 

I need to add ASA to CSM Server.

ASA need to talk on port 443 with CSM server.

Here is setup

ASA1---------lan network--------ASA2---------Interface Z  is connected to CSM server.

 

CSM server IP is 172.17.10.220.

ASA1 has two interfaces say x and y.

x has IP 172.17.100.7

y has IP 172.17.101.7

sh ip route on ASA1 shows

 

route x 0.0.0.0 0.0.0.0 172.17.100.254

route y 172.17.10.0 255.255.255.0  172.17.101.1

 

Need to know if i do below config on ASA1

http 172.17.10.220 255.255.255.255  which interface i should put there X  or Y?

 

Regards

Mahesh

 

 

2 ACCEPTED SOLUTIONS

Accepted Solutions
Hall of Fame Super Silver

Mahesh,As long as the

Mahesh,

As long as the interface is reachable from the CSM server, either should work. Normally we have a higher security level (e.g., Inside) or management interface which we restrict and direct all management activity (CSM, ssh, snmp etc.) to use. That avoids unnecessary exposure of control plane services on untrusted networks.

Your routing path is independent of which interface allows the access. If interface y is the inside or highest security level then you could reach x via going "through" the ASA. If "x" is inside then your would need an access-list applied to "y" to allow the initiation of the connection from CSM.

Hall of Fame Super Silver

That's correct.You are

That's correct.

You are talking to interface x (with a lower security level than you enter on so no need for an access-list to allow it) and your traffic is entering into (and returning from) the firewall via interface y.

3 REPLIES
Hall of Fame Super Silver

Mahesh,As long as the

Mahesh,

As long as the interface is reachable from the CSM server, either should work. Normally we have a higher security level (e.g., Inside) or management interface which we restrict and direct all management activity (CSM, ssh, snmp etc.) to use. That avoids unnecessary exposure of control plane services on untrusted networks.

Your routing path is independent of which interface allows the access. If interface y is the inside or highest security level then you could reach x via going "through" the ASA. If "x" is inside then your would need an access-list applied to "y" to allow the initiation of the connection from CSM.

New Member

 Hi Marvin, Below is setup

 

Hi Marvin,

 

Below is setup here

ASA1 interface x has security level of 50

interface y has security level  of 70

Routing on ASA1

 

route x 0.0.0.0 0.0.0.0 172.17.100.254

route y 172.17.10.0 255.255.255.0 172.17.101.1

 

I have added the CSM to ASA as per below config

ASA1

http 172.17.10.220 255.255.255.255 x

With this config above ASA1 ia added to CSM successfully.

 

Thing i need to understand now is when CSM talks to ASA1 over interface X then

from Routing configured  on ASA1 as below

 

route x 0.0.0.0 0.0.0.0 172.17.100.254

route y 172.17.10.0 255.255.255.0 172.17.101.1

 which route it uses as next hop??

My understanding is that it should use route y 172.17.10.0 255.255.255.0 172.17.101

as it has more precise router????

 

Regards

 

Mahesh

 

 

 

Hall of Fame Super Silver

That's correct.You are

That's correct.

You are talking to interface x (with a lower security level than you enter on so no need for an access-list to allow it) and your traffic is entering into (and returning from) the firewall via interface y.

69
Views
0
Helpful
3
Replies
CreatePlease to create content