1

I want to add a redundant interface to my Cisco ASA 5510. The management interface is currently using Ethernet0/1 (10.1.25.254/24) one of the interface I want to use for the redundant interfaces. So I wanted to setup Management0/0 as the new management interface. The other interface I want to use is Ethernet0/2 (10.1.0.254/24) for the redundant interface. The Ethernet0/3 (10.1.251.5/24) interface is not going to be part of the redundant interface.

I gave the Management0/0 an IP address of 10.1.254.5, and was able to connect a win7 box to Management0/0 and use 10.1.254.5 as a gateway; and ping another address on the (10.1.251.0/24) network, but I can't ping the interface (10.1.254.5) itself. I also can't use ASDM/SSH to log onto the ASA at 10.1.254.5.

I setup rules in Configuration > Device Management > Management Access > ASDM/HTTPS/Telnet/SSH. That look like the original rules for the Ethernet0/1 interface.

The last thing I can think to try would be to change the Configuration > Device Management >Management Access > Management Interface. I'm a bit nervous about changing it, the description of it is a bit vague. What it's going to do if I change it? What is the correct way to change a management interface?

Sam Sanders
  • 173
  • 4
  • 6
  • 18
  • Can you provide more information about how it's configured? Is the interface on the same network as the e0/1 interface? And what do you mean when you say that you can "ping another address on the network" - is this when connected only to the ASA's management port? – Shane Madden Dec 30 '11 at 21:29
  • @Shane what else do I need to add to my question? – Sam Sanders Jan 03 '12 at 14:19
  • Are you absolutely sure that you weren't connected to wireless or something when plugged into the management port? A management port shouldn't route traffic; you should not have been able to ping the 10.1.251.0/24 network from the other side of the management interface. – Shane Madden Jan 03 '12 at 16:25
  • I disable the wireless card while I did that. I should also note I'm a bit of newbie with I comes to networking. – Sam Sanders Jan 03 '12 at 17:10
  • @Shane Could it be that both those interfaces have the same security level of 100? – Sam Sanders Jan 03 '12 at 17:50
  • Traffic shouldn't pass between networks via the management interface at all, unless the `Management0/0` interface has had the "management traffic only" setting cleared. For your current situation, now that it's working - you're now able to access that address when connected to the inside interface, correct? This is because the `management-access` command both controls the default source interface for some outbound traffic, as well as allowing cross-interface management to that interface; you're now able to send management traffic to that address without being on that interface. – Shane Madden Jan 03 '12 at 17:56
  • To clarify, the `management-access` setting does not in any way restrict where management traffic can come from, or what interfaces can be connected to (it's not going to shut down management access to your 10.1.25.254 address; you'd do that in the SSH/HTTPS settings). It's just allowing cross-interface management to your specified interface, so you can now source from the Inside interface and manage the firewall via an address on a different interface (`mgmt` in this case). – Shane Madden Jan 03 '12 at 17:58

2 Answers2

3

I believe "management-access" means just what it says. This interface will be dedicated for just management and data will not be allowed to flow (pass) through the interface itself and you can only have one.

Could you post everything below and scrub any of the config that you don't want the public to see?

show run icmp

show run ssh

show run http

show run int management 0/0
packetologist
  • 31
  • 1
  • You're answering a question that is over a year old, and the information that you're attempting to convey was already present within the comments of the question itself. Remember to expand them! – Andrew B Mar 16 '13 at 18:12
  • 1
    My apologies. I clicked on the Server Fault site and it showed question as active so I answered. I will keep that in mind going forward. Thanks! – packetologist Mar 17 '13 at 18:04
  • No problem. And belatedly, welcome to Serverfault. :) – Andrew B Mar 17 '13 at 19:35
2

I got it working, but not sure if it's the correct way. I connect a computer to the serial port, and ran these commands.

ASA(config)# show run management-access
management-access Inside
ASA(config)# management-access mgmt
Please remove the management access before configure a new one
ASA(config)# no management-access Inside
ASA(config)# management-access mgmt

Now I can ssh into 10.1.254.5 and ping it. I can also still use the old ip address too 10.1.25.254. Which is odd because, I was thinking 10.1.25.254 would stop working when I ran that command. So what is "management-access" command doing? should I ask a separate question for that?

Sam Sanders
  • 173
  • 4
  • 6
  • 18