ASA - routing through m0/0
mikearama
Member Posts: 749
I've been able to avoid needing to do this on all ASA pairs until now, but it's necessary.
I removed "management-only" from all three contexts on this ASA pair (active-standby), but I'll be damned if I can get traffic through the device in either direction... Inside to Managment or Management to Inside.
Here's a look at the interface configs for the User context:
User-ASA1/User# sh run int
!
interface Management0/0
nameif Manage-User
security-level 100
ip address 10.22.151.7 255.255.255.0 standby 10.22.151.8
!
interface GigabitEthernet0/0
description *** To Bell Router 40Mb ***
nameif Outside
security-level 0
ip address 207.35.210.xx 255.255.255.240 standby 207.35.210.xx
!
interface GigabitEthernet0/1
description *** To Core, int g5/18, vlan 200 ***
nameif Client
security-level 50
ip address 10.22.203.253 255.255.252.0 standby 10.22.203.254
!
interface GigabitEthernet0/2
description *** Bridge to other ASA's ***
nameif Bridgenet
security-level 80
ip address 10.22.209.254 255.255.254.0 standby 10.22.209.253
!
interface GigabitEthernet0/3
description *** Pass-thru to Ebiz sites ***
nameif EbizPass
security-level 30
ip address 207.236.211.188 255.255.255.224 standby 207.236.211.189
User-ASA1/User#
Notice the absence of "management-only" on M0/0.
Rules are in place on the Client interface to allow access to the Managment subnet, and as the highest subnet, Management can get to everything... or should be able to.
Let me know if you have any ideas on what I'm missing, or need more info.
Thanks,
Mike
I removed "management-only" from all three contexts on this ASA pair (active-standby), but I'll be damned if I can get traffic through the device in either direction... Inside to Managment or Management to Inside.
Here's a look at the interface configs for the User context:
User-ASA1/User# sh run int
!
interface Management0/0
nameif Manage-User
security-level 100
ip address 10.22.151.7 255.255.255.0 standby 10.22.151.8
!
interface GigabitEthernet0/0
description *** To Bell Router 40Mb ***
nameif Outside
security-level 0
ip address 207.35.210.xx 255.255.255.240 standby 207.35.210.xx
!
interface GigabitEthernet0/1
description *** To Core, int g5/18, vlan 200 ***
nameif Client
security-level 50
ip address 10.22.203.253 255.255.252.0 standby 10.22.203.254
!
interface GigabitEthernet0/2
description *** Bridge to other ASA's ***
nameif Bridgenet
security-level 80
ip address 10.22.209.254 255.255.254.0 standby 10.22.209.253
!
interface GigabitEthernet0/3
description *** Pass-thru to Ebiz sites ***
nameif EbizPass
security-level 30
ip address 207.236.211.188 255.255.255.224 standby 207.236.211.189
User-ASA1/User#
Notice the absence of "management-only" on M0/0.
Rules are in place on the Client interface to allow access to the Managment subnet, and as the highest subnet, Management can get to everything... or should be able to.
Let me know if you have any ideas on what I'm missing, or need more info.
Thanks,
Mike
There are only 10 kinds of people... those who understand binary, and those that don't.
CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110
Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project.
CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110
Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project.
Comments
-
Ahriakin
Member Posts: 1,799 ■■■■■■■■□□
What model/license are you running, they don't all let you route traffic through (even though it is physically possible). Also the Mgt. interface is not very efficient, less blocks/slower bus etc.We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place? -
mikearama
Member Posts: 749
They pair are running VPN Premium license.
And yeah, it might not be ideal, but it's only to a fast switch for management purposes... nothing data/application related.
Hope that helps... and thanks for any insights,
MikeThere are only 10 kinds of people... those who understand binary, and those that don't.
CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110
Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project. -
mikearama
Member Posts: 749
Ah shoot... such a simple thing.
The management interface is the only interface that's shared between all contexts. And I forgot to enable "mac-address auto" in system, so the management interface had one mac address, but three IP's assigned to it.
As soon as I turned on "mac-address auto", instant traffic flow.
Another lesson learned.There are only 10 kinds of people... those who understand binary, and those that don't.
CCIE Studies: Written passed: Jan 21/12 Lab Prep: Hours reading: 385. Hours labbing: 110
Taking a time-out to add the CCVP. Capitalizing on a current IPT pilot project.