ASA Firewall MGMT interface Setup and Access Issue

avilt · ‎11-26-2015

I have SETUP ASA 5525-X firewalls in a active standby HA pair. It's inside interface (Gi0/0) is terminated on L3 switch (vlan30), firewall will use L3 switch to reach all the inside segments.

On the inside network we have vlan's for DATA (vlan10), MGMT(vlan20) and INSIDE(vlan30).

The firewall MGMT interface (Gi0/7 which is used for management only) is also terminated in the MGMT vlan on L2 switch.

Now I have my server in the DATA vlan which is unable to ping the MGMT interface of the firewalls.

This is not an ACL issue, my guess is that, the ping request from server to MGMT interface will reach the MGMT interface but the reply will return thru inside interface of the firewall. How can I resolve this issue?

Please refer the attached network diagram for more info.

Ganesh Hariharan · ‎11-29-2015

Hello Avilt,

MGMT interface are bound with separate VRF in ASA, You can only reach MGMT interface via MGMT vlan or either try to drop a default route in MGMT VRF towards MGMT SVI and then check.

Hope it Helps..

-GI

Marvin Rhoads · ‎11-30-2015

Ganesh - separate management VRF is a very new feature only available as of ASA 9.5 software. Reference.

Aviit - any ASA prior to 9.5 uses a single global routing table. Accessing the management interface from any host not on the management subnet would require the "best" (ie. lowest administrative distance and/or most specific match) route be hard coded to the management interface.

This is often impractical unless you have a dedicated management subnet and all hosts needing to manage the ASA reside on that subnet. For this reason, many customers simply use the inside interface for management.

QUARK TARO · ‎11-30-2015

Thank You,

In the above setup I have assigned SFR IP address as 192.168.1.4 (active) & 192.168.1.5 (standby).

Now when I ping from the server 172.16.0.10 to 192.168.1.4, how does the traffic reach to it?

When I do a tracert I see the 2nd hop as 10.10.10.1

Marvin Rhoads · ‎11-30-2015

You didn't initially mention using the sfr (FirePOWER Service module).

The sfr essentially runs as a separate "VM" on the ASA. As such, it has its own dedicated default gateway set. It shares the physical management interface with the ASA software. You can use that physical interface for sfr management only and manage the ASA via its inside interface.

Your core L3 switch should have an interface on the VLAN associated with 192.168.1.x so that it knows there's a connected route for that subnet. (Connected routes have the least cost, all other things being equal.)

QUARK TARO · ‎11-30-2015

In the above diagram, the MGMT interface Gi0/7 is defined as management only with IP address 192.168.1.1/24

Now the SFR IP address is 192.168.1.4/24 and Firesight IP is 192.168.1.3/24

But I am using the firewall inside interface 10.10.10.1 for ASDM management.

Now Am I right in saying Firesight reaches SFR thru MGMT interface?

Marvin Rhoads · ‎11-30-2015

Yes - FireSIGHT / FirePOWER Management Center communicates with the sfr module via the ASA management interface only.

However, it must be the ASA's dedicated management interface - Management 0/0.

You cannot use any other interface for sfr module communications to its manager - even ones that you have defined as "management only" in the ASA configuration.

Ganesh Hariharan · ‎12-01-2015

Thanks Marvin for clarification , My mistake ..You are right we implemented in latest relase n our DC ..

-GI