Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.

Firewalling: Management port M0/0 on ASA 5520 - Interesting issue

Hi,

I have a big network comprising of 10.0.0.0

my inside interface ip is 10.100.1.1 /24

my management interface ip is 10.150.1.1 /24

The default inside route in my ASA is

route INSIDE 10.0.0.0 255.0.0.0 10.100.1.1

From my user network - 10.200.1.X, i try to access the management interface, it does not connect ...

So i put a static route on the ASA

route MGMT 10.200.1.0 255.255.255.0 10.150.1.1

Then it works i am able to connect to ASDM & SSH

Question -

Is all return path for the network 10.200.1.X ( including internet return traffic ) coming via the management interface ?

If yes .. what is the solution to this ?

5 REPLIES
Gold

Re: Firewalling: Management port M0/0 on ASA 5520 - Interesting

why do you list the ASA inside IP as the default inside route?

route INSIDE 10.0.0.0 255.0.0.0 *10.100.1.1*

It should be pointed to something else internally. The MGMT interface just needs to plug into a switchport set up for the proper vlan - and treat it as a host port.

Any host on your user network (10.200.1.x) should be able to get to 10.150.1.1 without going through the inside interface of the ASA.

ie, there should be something doing internal routing for you, whether it's a router or multilayer switch, or something.

you could optionally turn on routing on the inside interface of the asa as well, assuming you were running an internal routing protocol also.

Re: Firewalling: Management port M0/0 on ASA 5520 - Interesting

Sorry i gave you the wrong info

My L3 Device ( Default gateway for my internal LAN ) - is 10.100.1.10

10.200.1.10 is the L3 device IP for the management network.

The default inside route in my ASA is

route INSIDE 10.0.0.0 255.0.0.0 10.100.1.10

The route i put for management is

route MGMT 10.200.1.0 255.255.255.0 10.150.1.10

If the above route is not present -

when a user from the user network, 10.150.1.1 tries to reach the management port, the packet goes to the layer 3 switch, then to the Management Interface & then the return path comes back via the Internal interface due the the default static Route

route INSIDE 10.0.0.0 255.0.0.0 10.100.1.10

If i put the route

route MGMT 10.200.1.0 255.255.255.0 10.150.1.10

then the return traffic from the ASA comes back via the MGMT interface

The issue for me is i need to reach the management interface without putting any static route through the management interface because all inside routes are via the INSIDE interface

Re: Firewalling: Management port M0/0 on ASA 5520 - Interesting

Hello All,

Can anyone help me with this ?

Gold

Re: Firewalling: Management port M0/0 on ASA 5520 - Interesting

Under your management interface, does it say management-only?

Re: Firewalling: Management port M0/0 on ASA 5520 - Interesting

yes

176
Views
0
Helpful
5
Replies
CreatePlease to create content