The ASA 5500 have there own management interface, but I? am not sure how to use it correctly. Lets say we use the outside inside and the management interface from the ASA.
On the inside interface I have a L3 switch how manage all my VLANs. I have an admin network 10.222.0.0/16 where all admin people sitting, and then we have some management server like cw2000 or HPOV there placed on a server VLAN (10.100.0.0/16). If I point the routing for 10.222.0.0/16 and 10.100.0.0/16 to the management interface, then I? am not able to have normal traffic from this two networks thru the ASA. How can I solve this?
the short answer is I think you need to proxy the mgt interface traffic
I think you will find that any IP address that communicates directly with the mgt interface cannot also talk through the ASA e.g. your ASDM client or HPOV server, the traffic needs to be proxied. This is all because the ASA is running a single routing table - which INCLUDES the mgt interface traffic. The OOB management traffic is sharing the routing table.
I find this a very inconvenient "feature" of the ASA (unless I've misinterpreted it). Because of this, in smaller environments to my mind it seems easier to forget the dedicated mgt int and manage it directly through the inside interface.
It would be nice if the "management-only" interface traffic is exempt or excluded from the main routing table - maybe a little vrf-like technology inside would work here? Also, I don't know if contexts can assist here e.g. admin-context. I haven't really delved into context world... yet. (Do contexts have their own routing/fwding tables yet?)
If you don't have (or don't want?) a proxy, I guess an alternative would be to install additional LAN interfaces directly on the ASA mgt (V)LAN in all the devices you wish to communicate with the ASA mgt interface.
If anyone has anything to add, I'd love to be wrong about all this.
Hello, We setup a new ASA 5510. The small remote office VPN's in ok to resources on the inside. But the remote user is not able to ping through the outside (VPN'ed) interface to me on the management interface. I'm working with Cisco. We have covered ACL group-object, static routes, and management-access but this is a problem. Any idea?
Ours is the ASA5510 ver.7,2,2. While the ASA's management interface is designed for management traffic only, accepting only incoming traffic; Cisco had me remove the 'management-only' command from the interface, disabling management-only mode so the interface should pass traffic just like any other interface.(I confirmed this on-line, viewing Cisco's Command Lookup Tool_management-only). This isn't a big problem. The remote user's (DSL/Cisco501/VPN)work good but occationally I want them to ping me on our management vlan to initiate a conversation (their's is a dynamic I.P.). Also, we have a SNMP monitoring program this may affect. Hey, thanks for the reply Chad.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :