Jump to content



Photo

Cisco ASA Management network issue


  • Please log in to reply
5 replies to this topic

#1 +ChuckFinley

ChuckFinley

    member_id=28229

  • Joined: 14-May 03

Posted 04 October 2013 - 11:52

Hi All,

 

Does anyone have any experience with Cisco ASA?

 

Is this correct that anything from the management network is not allowed through to say the internet. If my PC was part of the management sub-net I would only be able to access the internet from my PC through a proxy?

 

To make it worse there is only an ACL on been able to manage the devices from said subnet? ....

 

Thanks

 




#2 Walid W.

Walid W.

    I love Orcinus Orca

  • Tech Issues Solved: 3
  • Joined: 19-July 08
  • Location: Lost somewhere in Sweden
  • OS: Ubuntu, Debian, Backtrack 5r, Windows 7 & XP
  • Phone: iPhone 3GS, iPhone 4s & HTC One

Posted 04 October 2013 - 13:46

Hi All,

 

Does anyone have any experience with Cisco ASA?

Yes.

 

Is this correct that anything from the management network is not allowed through to say the internet.

No that is not correct.

 

If my PC was part of the management sub-net I would only be able to access the internet from my PC through a proxy?
No, you can access the internet without going through proxy.

 

Now tell us a little more what you want to achieve so that we can help you more. :)



#3 OP +ChuckFinley

ChuckFinley

    member_id=28229

  • Joined: 14-May 03

Posted 06 October 2013 - 10:22

OK So I will try explain it.

 

We have a new Cisco ASA. This was what the Cisco Guys told us by the way.

 

So we have a management interface, On that management interface it has an ACL (I think) that only allows a certain subnet to connect to it. Fine. We tied it down to our Network Ops Center subnet so only those guys can connect to it.

 

They told us that anyone on this certain subnet can connect but as it connects to the management interface if we were doing that we would need to use a proxy on our PC's to connect to the internet as any traffic is seen from will be going via the management interface and that isnt allowed out to the internet.

 

I find this strange.



#4 OP +ChuckFinley

ChuckFinley

    member_id=28229

  • Joined: 14-May 03

Posted 06 October 2013 - 17:35

The way they explained it was, That they see traffic from our PC comming in on the Management Interface. Which is restricted not to be allowed out if this makes sense. I am confused with this.



#5 sc302

sc302

    Neowinian Senior

  • Tech Issues Solved: 25
  • Joined: 12-July 05
  • Location: NJ, USA

Posted 06 October 2013 - 21:37

There is an acl or different weight of that management network that would deny access to other networks. A lower weighted network will not be able to access a higher weighted network.

#6 Walid W.

Walid W.

    I love Orcinus Orca

  • Tech Issues Solved: 3
  • Joined: 19-July 08
  • Location: Lost somewhere in Sweden
  • OS: Ubuntu, Debian, Backtrack 5r, Windows 7 & XP
  • Phone: iPhone 3GS, iPhone 4s & HTC One

Posted 07 October 2013 - 08:50

Ok, I am a little configused honestly.. IF you want to connect to management network you can give access to any vlan/subnet to connect to that interface.. this shouldn't be any problem as you your Ops subnet is already connected to it. Now if your management network has a route to the internet and other network doesn't it couldn't be a problem you can even have another route for other subnet allowing them to access the internet. If i am not mistaking you can even have your other subnets to connect to the internet via managemnet interface but that is not an easy task. (I haven't done that before though but I read in Cisco that it is possible again I am not sure 100%)

 

You still didn't say what it is that you are trying to do? Do you want to access the internet through management interface or you are just trying to do some labs/tests just for fun?