Cisco Firewall :: ASA5512-X Setup Using Management Interface
Jun 28, 2012
I have a brand new ASA5512-X running 8.6.1, and am trying to do an initial setup using the Quick Start Guide that came with it. However, the Management Interface is not working. I have a PC connected and set to use DHCP, but the port is not active. I connected a console cable and can see in the config that the interface is shutdown. So I set it to active, and the port is now active, but is not giving out a DHCP address as the guide says it should.I would like to use the ASDM Startup Wizard to configure this device, so how do I get it to work the way the instructions say it should?
I'm trying to verify some behaviors I'm seeing with my 5508 controller setup, I've zero experience with this hardware and clueless on the best practices. With that said... out of the box I ran through the AutoInstall process.
I gave my service port an IP address on my subnet, 10.10.8.0/24 vlan 100 and gave the management interface the ip address 10.10.30.5/24 vlan 130
From my host I can ping the management interace 10.10.30.5 and the interface gateway 10.10.30.1 I cannot connect to the controller via 10.10.30.5 either through the web GUI or telnet I can connect to the controller via 10.10.8.200 both through the web interface and telnet while connected to the service port, I can ping the management port IP but I cannot ping the 10.10.30.1 gateway.
We have attached two test 3502I AP's and they found the controller and pulled correct ip addresses, clients can authenticate and access network resources as well as the Internet so for the most part, things are working but it concerns me that the management interface can't ping its own gateway.
I am having issues with the ASA 5510 management interface. I can't communicate with this interface. It is showing DOWN/DWON even if I type NO SHUT several times.
My existing config is as follows our-asa-01# sh run Saved ASA Version 7.2(5) hostname our-asa-01 names dns-guard interface Ethernet0/0 [code]....
I would like to configure an ASA5512-X in firewall transparent mode, but I am having trouble getting ASDM to lauch when I do.
I have created a BVI interface with an IP address, and I hve enabled the mangement interface, but ASDM does not lauch when I enter the IP adress of the BVI I created.
Apprently you need to use the bridge-group command to assign an interfce to a bridge group. When I enter this command at the (config-if) prompt for Management 0/0, this command is not recognized.
What are the general steps for configuring the management interface to be able to launch ASDM in transparent mode?
How does one allow /31 mask for an management interface on an ASA5540 using version 8.3(1)?
I need to configure a 192.168.x.y /31 on the management 0/0 interface of a ASA5540 and it is providing me with the following error:ERROR: /31 mask is not allowed
I have a misanderstand about management interface configuration in cluster. So I have a cluster asa 5515X with management interface. i Would like to be able to connect to any of the member of my cluster on management interface, so i would like to fix a different ip on management interface on each of my node ip 92 and 91. I think it is the only way to make asa firmware update to access local flash on each node.
my config
interface GigabitEthernet0/1 channel-group 1 mode active no nameif
I seem to get conflicting information on using the Management port as a regular routed interface on the ASA5510..The management interface can be used for the traffic that passes through the firewall as well. The Security Plus License for the ASA 5510 is required in order to use the management0/0 port as a regular interface. With a base license on the 5510, the management0/0 port cannot be used as a regular interface.
I believe that I saw another post that mentioned it was part of the standard IOS if you had a later version.
I have purchased the ASA5512-K9 with the CX AVC and Web Security Essentials L-ASA5512-AW1Y as recommended by a Cisco pre-sales representative and my reseller for my environment. I had previously believed from the documentation on the Cisco site that all X generation models had the CX software included on them in the state that they are sold. Now in trying to configure the ASA5512, and with further reading of the setup documentation, I have discovered that I do not have the capability to access the CX functionality with this model 'as is', and this combination does not appear to be appropriate. It appears that the CX software module is not actually included on the ASA5512-K9 model, but rather only on the ASA5512-SSD120-K9 model.
If it is, should I exchange the ASA5512-K9 for an ASA5512-SSD120-K9 to get the combination of this subscription license and ASA model working. Am I correct in that the ASA5512-K9 model does not have a solid state drive on it already and so I can not download and install the CX software on it? As an alternative, is it possible to purchase a Cisco solid state drive seperately, plug it into the ASA5512-K9, download the CX software, and then install it on this new drive in the ASA5512-K9?
I've got an ASA 5505 running 6.3 I've connected the management interface to our management vlan (which contains switch IPs, ilo's etc)Is there a way to allow access to this vlan from another?
We have several pairs of ASA5510s in failover A/P mode, some running 8.3(2) and others running 8.4(1).
e0/0 = outside e0/1 = inside m0/0 = management
The problem we're having is we can't get anything to route out of the management interface unless we put in a static route at least to the subnet level. For example, we want syslog traffic to exit out m0/0 to our syslog server 10.71.211.79. Our 'gateway of last resort' points to the next hop out e0/0, and a second static route with a higher metric and a more distinct network space is for m0/0 as in:
This doesn't work, and ASDM loggin gives this error: ".....Routing failed to locate next hop for udp from NP Identity Ifc:10.72.232.89/514 to management:10.72.211.79/514"
If I put in a more granular subnet route, or a host route of the syslog server it works, such as:
route management 10.72.211.0 255.255.255.0 10.72.232.94 10 <------------- this works
route management 10.72.211.79 255.255.255.255 10.72.232.94 10 <------------- this works too
Why won't a static route for 10.71.0.0 255.255.0.0 work in this case?
We are going to have numerous hosts access and be sent messages though the management interface of these ASAs, and it would be very burdonsome to have to add a host, or even a subnet, route for every one. I've removed all static routes and tried to rely on EIGRP, but that doesn't work. I also had to put 'passive-interface management' under the EIGRP for this to work.
Here is the pertinant ASA config concerning syslog, routing, and interfaces:
After I have upgraded our ASA 5510 to 8.4.2 I have problem with the management interface.Our former firmware 8.2.3 had no problem using the management interface as a DMZ zone, but after we upgraded to 8.4.2 we can't make it work.The interface and the protocol is up, when I type: show interface.But when I ping the interface from a computer connectet to the interface, nothing happens. Even the logging shows nothing.
I have a little problem creating a network infrastucture with an "inside", "dmz" and an "outside" network on my ASA5512-x 8.6(1).
I have have clients and servers with the networks 10.0.1.0/24, 10.0.2.0/24 until 10.0.12.0/24 on my inside interface. Then I have two servers 10.0.254.50/24 for SMTP and 10.0.254.70/24 for HTTPS in my dmz network. The outside interface is one static IP to the Internet.
I have a new 5512-X with the built in IPS sensor. The firewall is running in transparent mode with the management interface being used for both the ASA and the IPS sensor. i.e. a single interface.
Both the IPS and the ASA are configured on the same network segment (172.29.25.252 for the firewall and 172.29.25.250 for the IPS).However the IPS module keeps going off-line whilst the firewall is fine. So CSM Health and Performance Manager keeps coming up with an error.
Now the interesting bit... If I SSH to the firewall and issue a session ips I get straight into the sensor.I can then ping something from the sensor - exit out and the sensor is visible on the network for a while.It then drops again.Is there a keep-alive that I need to configure to get this working properly?
I have a client that is running an ASA5512-X. When I initially installed it, they were having issues sending out emails. I disabled ESMTP inspection and thought it resolved the issue. Recently, they upgraded to Exchange 2010 and are still having an issue with some emails getting hung up in the queue. If I watch the ASA when they try to telnet to the external mail servers that do not work, they get a SYN timeout.
I am not sure why this would happen since ESMTP is disabled. They are running 8.6(1) on the ASA.
I have a Cisco ASA 5505 in our office. We are currently using Interface 0 for outside and 1 for inside. We only have 1 Vlan in our environment. We have two three switches behind the firewall. Today the uplink to Interface 1, to the firewall, on the switch went bad. I want to setup a second inside interface on the firewall and configure it as failover incase this happens again. I want to attach it to the other switch. Can I do this? If so, what do I need to do? would it only be a passive/standby interface?
I am normally only doing IOS config. I have little problem when trying to setup this unit.,It boots ASA software 8.0.4 fine.,When i go to enable mode and into configuration mode and try to configure ip on an interface i have a problem.,
ciscoasa(config)# intciscoasa(config)# interface manciscoasa(config)# interface management 0/0ciscoasa(config-if)# ?,Interface configuration commands: default Set a command to its defaults description Interface specific description dhcp Configure parameters for DHCP client duplex Configure duplex operation exit Exit from,interface configuration mode Interactive help for interface subcommands no Negate a command or set its defaults shutdown ,Shutdown the selected interface speed Configure speed operationciscoasa(config-if)#
I did try to upload the new software 8.4.2 from rommon using TFTP. ,It boots 8.4.2 fine, but have same problem as in 8.0.4.,I did try to create a user haveing priv 15 and logging on as that user. It gives the same.,The firewall is not in transparent mode.
getting my additional IP addresses working on my ASA 5510. I have a /29 allocation and outbound access and inbound access to my internal www server is working fine through the default outside interface. However, I now need to setup a second IP address that maps internally to a different web server. When I setup a new network object with automatic NAT translation to the new IP address, it does not work. If I setup the same scenario using the outside interface, it works fine. What is the proper way to setup additional IP address on my ASA v8.4?
I'm trying to separate my management traffic from regular traffic by splitting the management and "outside" interface to separate vlans but I'm hitting a routing issue. Say I have have a management network of 192.168.1.0 255.255.255.0 running across vlan 1 and I want to use 192.168.2.0 255.255.255.0 running across vlan 2 for the outside interface to send all the other traffic excluding the management traffic across. Tag both vlans on the external interface, say Eth0/0 Default route of route outside 0.0.0.0 0.0.0.0 192.168.2.1, With this, you can not hit the management interface because there is no route defined for the 192.168.1.0 network. However of course if you try to set one, you'll get the "connected route exists" error. How can I set the default route or gateway of the 192.168.1.0 network on the ASA. Switches just don't complain like the ASA does.
We acquired recentlty a new Cisco 6509 with Sup-2T supervisor card
My question is the following : we have a management subnet on a Copper-based switch; we manage all equipments through this network. I planned to configure the management interface on the 6509 to connect this switch & monitor the VSS through it However, since it is a CMP interface, most of the actions (SNMP, IOS upgrade.. won't be possible through this link) Moreover, I don't think LMS would be able to get the configuration through it (except by configuring a script running "attach" command & show run
Is there something I miss or must I add another interface of the Catalyst to this network (the problem being that I have no copper line card)
We have recently purchased a Cisco Small Business Pro SRP 527W router, all seems good and it is running smoothly, no disconnections or sync issues like our last router. However, after a certain amount of time the web management interface is unavailable through the browser (accessing it via 192.168.1.254 or the alternative we set-up 1.1.1.1) It is totally unavailable and timeouts in the browser yet there is still internet access and network is still alive. The web management interface was accessible before though and the only solution I have been able to do to access it again is to reboot this router.Could it be possible that because port 80 is forwarded to a different IP it interferes with the Web management interface? And how wcould the interface port access be changed?
I have running a Wireless LAN Controller Cisco 2006.Today my management IP its public with Internet access. I am thinking in use a private IP without internet access. I have certains Access-Points in other building, that connect to AP Manager interface using Internet . When i see the tcp connections, i look that the access-point not only have TCP connections to AP Manager interfaces, it have TCP connections to Management interface too!!!.If i shutdown the connection between Management interface and Access-Points (mantaining the connection between Access-Point and AP Manager interfaces)?
Am trying to replicate the managment interface functionality of a CSS on ACE 4710 but have problem with it being treated as a general routed interface.
Scenario On ACE 4710 I have a front-end interface for client facing VIPS and a back-end interface facing a server farm, taking care of load balancing flows
Non load-balance system traffic for the back-end servers also flows through these two ACE interfaces, following a default route path (the back-ends use the ACE as default gateway) i.e. dns requests from the servers flow through the ACE egressing the front-end interface to hit a firewall and route to an internal dns server.
Issue If I add a "management interface" to the ACE 4710 and give it an IP address for management access, the interface by default assumes 'routed' mode and as the ACE treats this as a general interface it will route traffic out of it. For example if the IP address of this management interface is on the same network as the internal dns server, it breaks that connectivity. This as the ACE will see the "management" interface as best route to directly connected network and send traffic to dns server over that, however dns server response traffic will follow its defult route path via firewall and ACE front-end interface to get reply to back-end server. The firewall will block this traffic as traffic is asymmetrically routed and firewall not seen the initial dns request packet.
Question Is there a way of making an ACE interface a 'non routed' management only interface for out of band management use? That is ACE will not attempt to route general traffic through the interface
I realise I could achieve this with multiple contexts but want to have a single context for various reasons - i.e. to have a kind of like for like CSS replacement using ACE 4710
I have a number of WLCs/WiSM2 running 7.0.230.0 (still using WCS for management). The management interfaces for the controllers are on a purely private subnet. While going through the intenet edge ASA logs I noticed some traffic drops for the controllers on the Inside interface. I took a packet capture from the controllers and found that they were sending TCP traffic to a number of IP addresses (Microsoft, Hotmail and Google) - always with a src port 2028 (submitserver) with the ACK/FIN flags set. Why this traffic is coming from the management interfaces? The management interface is not used by any wireless clients and is not the default interface for any of the SSIDs.
I have a number of WLCs/WiSM2 running 7.0.230.0 (still using WCS for management). The management interfaces for the controllers are on a purely private subnet. While going through the intenet edge ASA logs I noticed some traffic drops for the controllers on the Inside interface. I took a packet capture from the controllers and found that they were sending TCP traffic to a number of IP addresses (Microsoft, Hotmail and Google) - always with a src port 2028 (submitserver) with the ACK/FIN flags set.
I'm setting up a new 5508. I've used the config from a 4402, have successfully connected to the Service port to manage the device, but for some reason cannot connect to the Management interface. In this case, port 1.
The service port is connected to a Catalyst switch and grabbed an ip address (10.2.x.x subnet) no problem. I can access the 5508 via https using the SP. However, port 1 is connected to the same Catalyst switch, but on a different vlan (subnet 10.20.x.x). Both ends show that the interfaces are up, I can ping the interface from any other host on the network, but when I try to manage the device via https I cannot connect. We are using WCS and I cannot add the device from the WCS. About all I can do is ping that interface.
I'm working on creating an open wireless scheme and we are simply going to use WPA with a key. What I'm getting a little stuck on is preventing access, by the guests that will connect to the WAPs, to the gateway/management webpage. I've been looking into seperating with VLANs and trunks (internal with management access and external for guests) but having a hard time with the configuration scheme.
Not sure if there is an easy way to just block that in the config or what.
