Firewall in a zone to manage interface in another one

Similar Messages

• Configuring management interface in transparent firewall

  Hi there, 
  I know I have been asking basic questions. But I have 5520 with VPN plus license. 
  This firewall is in transparent mode now. How do I configure the management IP on this( I mean is there a dedicated management interface or what)
  Regards, 
  Yad Singh

  Hi,
  Consider ASA in transparent mode just like a Layer 2 Switch , where you would have to define an SVI or IP address for management.
  In the Case of ASA device , on ASA 8.2 and before , you can only configure one single IP address for management.
  On the ASA 8.4 and above , we have something know as Bridge groups which are configured for the management IP address.
  Refer these documents:-
  http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/fwmode.html#wp1201980
  http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/mode_fw.html#wp1367568
  http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/97853-Transparent-firewall.html
  Let me know if you have any queries.
  Thanks and Regards,
  Vibhor Amrodia

• Need verification of management interface usage on 5510

  Hi,
  I seem to get conflicting information on using the Management port as a regular routed interface on the ASA5510
  This is the text in question:
  The management interface can be used for the traffic that passes through the firewall as well. The Security Plus License for the ASA 5510 is required in order to use the management0/0 port as a regular interface. With a base license on the 5510, the management0/0 port cannot be used as a regular interface.
  I believe that I saw another post that mentioned it was part of the standard IOS if you had a later version.
  Can anybody validate this, one way or the other?
  Thanks,
  Dave

  No, you dont need a license for it,just follow this doc, it was introduced in version 7.0.1:
  http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/m.html#wp2028112
  Thanks,
  Varun Rao
  Security Team,
  Cisco TAC

• Cisco ASA won't send Syslog out management interface

  I have been trying to get my ASA to send syslog out of the management interface without any luck. When I do a packet tracer it says that the global implicit deny rule is blocking it, but I tried to add a permit all in front of it and it still blocks it. Everything is configured correctly from what I can tell and the static routes and routing are correct. This has me baffled. Does anyone know what might be causing this or what I should look at in the config to get this working?

  Hi Mark,
        Talking of packet tracer, it would give you correct output for a through the box traffic, not for to the box or from the box traffic.
  So firstly we have two questions:
  1) Is this a through the box traffic, then you need to permit the traffic through ACL(if from lower sec level to higher) and add a NAT statement(depending on the ASA IOS Version you are using anything above 8.2.5 wont require a NAT).
  2) If this is a syslog from the firewall scenario, then you need to make sure to get the following logging configuration on ASA
  -enable logging
  -logging host management X.X.X.X --------(X.X.X.X is the ip of the syslog server)
  -logging trap debugging ----------(debugging is the level, you could use any other too, but to check would sugest this one)
  -Further if you have already sorted out till here, get us the following outputs:
  -show run
  -show logging
  -show logging queue
  Hope it helps
  Cheers,
  Naveen
  Please Rate Helpful posts.

• ASA 5515 management interface

  I started to configure a new ASA 5515 to replace an 5510.  When I attempted to remove the "management-only" command from the Management0/0 interface I was greeted with the following error:
  "ERROR: It is not allowed to make changes to this option for management interface on this platform."
  Does this mean we can't use the managment interface anymore on these newer ASAs?  I was planning on using that port when we bought it.  If this is the case, let this be a warning to whoever is counting the managment port as a 7th interface on the 5515!

  Update: I just found out that you can't use the management interface for failover purposes either.     Argggggg.
  "Management interface cannot be configured for failover on this platform."

• Home Hub 3.0B Management interface unresponsive.

  This month (2 weeks ago) I upgraded to Infinity 2 and got a new Home Hub 3.0 Type B.
  I was able to get it all working as I wanted to - home network using 172.16.0.1/23 (because of conflicts with vpning into work which already routes 192.168./16 and 10./8)
  However, often, very often, trying to access the Hub web interface on 172.16.0.1 or via bthomehub.home simply fails to respond. Regardless of the browser, or me using telnet to simulate a HTTP call.
  #host bthomehub.home 172.16.0.1
  Using domain server:
  Name: 172.16.0.1
  Address: 172.16.0.1#53
  Aliases:
  bthomehub.home has address 172.16.0.1
  # telnet 172.16.0.1 80
  Trying 172.16.0.1...
  Connected to 172.16.0.1.
  Escape character is '^]'.
  GET /
  And it just hangs.
  Even though the web management interface is unresponsive, the internet seems to work ok, though wifi is sporadic.
  Rebooting the hub doesn't seem to help.  I read some reports of badly fitted heatsinks on these Type B's - so could mine be over heating and causing this lock up?  If I leave it and try again in a few hours it may work again.  Yesterday the internet connection dropped twice and when I was able to login to the web interface, the Event log showed that the hub had spontaneously rebooted itself.
  Do I have a bad home hub?

  Hi pgregg,
  Have you tried a full reset of the hub yet? Not just a reboot?
  Chris
  BT Mod Team.
  If you like a post, or want to say thanks for a helpful answer, please click on the Ratings star on the left-hand side of the post.
  If someone answers your question correctly please let other members know by clicking on ’Mark as Accepted Solution’.

• WLC Duplicate IP address detected for AP-Manager Interface

  I am getting an error log in the WLC saying, its IP address is duplicate by another machine with MAC address A.B.C.D
  But this MAC address A.B.C.D is the MAC address of the AP-Manager Interface in the same controller.
  Model No.                   AIR-WLC2106-K9
  Software Version                 7.0.116.0
  %LWAPP-3-DUP_IP: spam_lrad.c:27626 Adding client 58:b0:35:83:72:86 to  exclusion list due to IP Address conflict with AP 'AP_DUXO_3'
  %LWAPP-3-DUP_AP_IP: spam_lrad.c:27612 Duplicate IP address  detected for AP AP_DUXO_3, IP address of AP  10.184.1.224, this is a  duplicate of IP on another machine (MAC address 58:b0:35:83:72:86)
  Cisco AP Identifier.............................. 1
  Cisco AP Name.................................... AP_DUXO_3
  Country code..................................... US  - United States
  Regulatory Domain allowed by Country............. 802.11bg:-A     802.11a:-A
  AP Country code.................................. US  - United States
  AP Regulatory Domain............................. 802.11bg:-A    802.11a:-N
  Switch Port Number .............................. 1
  MAC Address...................................... cc:ef:48:1a:e4:af
  IP Address Configuration......................... Static IP assigned
  IP Address....................................... 10.184.1.224
  IP NetMask....................................... 255.255.0.0
  Gateway IP Addr.................................. 10.184.20.2
  Domain...........................................
  Name Server......................................
  NAT External IP Address.......................... None
  CAPWAP Path MTU.................................. 1485
  Telnet State..................................... Enabled
  Ssh State........................................ Disabled
  Cisco AP Location................................ DUXO_BOX
  Cisco AP Group Name.............................. default-group
  Does anyone have an issue like this ?

  Are you sure this MAC address 58:b0:35:83:72:86 isn't some type of Apple device?  Its OUI is registered to apple.  How do clients get ip addresses DHCP?  It appears that the IP 10.184.1.224 is statically assigned to your ap-manager and that this client 58:b0:35:83:72:86 is either getting that same IP from DHCP or the client is statically assigning it themselves. 

• I accidently deleted my ap-manager interface How can I get it back? WLC440

  I accidently deleted my ap-manager interface How can I get it back? WLC4400
  Thanks in advance..
  admin_users 1 301 10.147.1.8 Dynamic No
  hvac 1 268 172.19.15.8 Dynamic No
  management 1 447 10.147.8.8 Static No
  nwlan 1 862 10.147.6.8 Dynamic No
  service-port N/A N/A 192.168.168.200 Static No
  switch mgmt 1 1 192.168.15.8 Dynamic No
  virtual N/A N/A 1.1.1.1 Static No
  voice 1 860 10.147.4.8 Dynamic No

  Take a look at this documentation:
  http://www.cisco.com/en/US/docs/wireless/controller/5.2/configuration/guide/c52mint.html#wpmkr1159694
  It should help with creating ap-manager interfaces.

• Standard Asynchronous ES for Quality Management interface

  Hi,
  Synchronous standard ES is available for Quality Management interfaces under ES bundle. 
  Could you please suggest if there is any standard Asynchronous ES available for above QM interfaces like Inspection plan, Inspection results and Usage Decision.
  Br,
  Madan

  Dear Hummel
  This link required SAP ID and use less for those who do not have S User ID's.
  further more.... could you please differentiate Stand SAP QM process compare to QM process in  RDS?

• WLC to use Management Interface & Few more getting started Questions

  Hello,
  I'm yet to implement the Wireless LAN in one of our client's corporate office. There 40 x 1130AG LWAPP AP's and 4404 WLC with ACS 4.x for the Authentication of the Wireless Clients who is trying to access the LAN.
  For the WLC to connect to the Dual Core Switch, i need to use only one Management Interface with Distribution System port 1 being the Primary and mapping the DS Port 2 as the Backup port for the Management Interface. Is this Right? or do i have configure Dynamic Interfaces as well. Is management interface for accessing / management and configuration only? Management Interface will communicate with ACS for AAA and AP's who would like to associate with the WLC, is this Right?
  Note: WLC, AP's, Wireless Clients & AP's are in the same IP Subnet.
  Few other question of WLAN's so it helps me during implementation -
  • Can I use the 802.1x Authentication application found in the Windows XP for the Wireless Interface; instead of Cisco Client Application. For this; I have to configure the WLC / Wireless Client to use EAP algorithm; is this Right?
  • With the help of RRM, the channel interference between multiple AP's (3 - 4 AP's) in the same area is controlled by the WLC by changing the Channels used by the AP which is not same on all the AP's. Is this right?
  • How many Client Users will connect per Channels. 802.11 a / g will provide 11 Channels, is this Right?.
  • I'm trying to set in the WLC to limit the Client connections per AP to 25, can this be achieved?
  Please, can anyone help me in calrifying the above points.
  Regards,
  Keshava Raju

  Many Thanks Mr. Dennis for your help & Clarification.
  With ref to your reply point no# 1. I have actually planned to connect one Gig port of the controller to each of the Dual Cisco Core Switch setup. Can i use all 4 Controller Interfaces configured as LAG and Port 1 & 2 connecting to Core Switch 01 and Port 3 & 4 connecting to Core Switch 02?
  I have Final two more questions, Request you to help me calrifying this?
  • I'm willing to configure Multicast communication between the WLC & AP's. For this configuration is it necessary to Connect the WLC in a different VLAN than the VLAN of the AP's. Is it necessary that I have to set the controller to LWAPP Layer 3 mode to support the Multicast communication?
  • Though I do not have implementation experience of the WLAN. My understanding of the Interface settings on the WLC - is I will have to configure one Management Interface for in-band management. Do I have to configure AP-Manager Interface (to support Multicast communication) and to make the WLC to communicate with ACS for Client Authentication. All of the Wireless Devices including the ACS are in one VLAN / IP Subnet, is only one Management Interface is enough for communicating with AP's (with Multicast) and communicating with ACS for forwarding the Authentication messages between the ACS & Wireless Clients?

• Setting management interface WLC 7.4.121.0

  Hello.
  I have a problem setting Management interface IP in new controller 5508. I get the error "Error in setting management interface IP".I can not place a management controller IP.
  Starting IPv6 Services: ok
  Starting Config Sync Manager : ok
  Starting Hotspot Services: ok
  Starting PMIP Services: ok
  Starting Portal Server Services: ok
  Starting mDNS Services: ok
  Starting Management Services: 
     Web Server:    CLI: ok
     Secure Web: Web Authentication Certificate not found (error). If you cannot access management interface via HTTPS please reconfigure Virtual Interface.
     License Agent: ok
  (Cisco Controller) 
  Welcome to the Cisco Wizard Configuration Tool
  Use the '-' character to backup
  Would you like to terminate autoinstall? [yes]: -
  Invalid response
  Would you like to terminate autoinstall? [yes]: no
  System Name [Cisco_bf:dd:c4] (31 characters max): 
  AUTO-INSTALL: process terminated -- no configuration loaded
  Enter Administrative User Name (24 characters max): admin
  Enter Administrative Password (3 to 24 characters): ********
  Re-enter Administrative Password                 : ********
  Service Interface IP Address Configuration [static][DHCP]: none
  Service Interface IP Address: 1.1.1.1
  Service Interface Netmask: 255.255.255.0
  Enable Link Aggregation (LAG) [yes][NO]: no
  Management Interface IP Address: 192.168.10.1
  Management Interface Netmask: 255.255.255.0
  Management Interface Default Router: 192.168.10.10
  Error in setting management interface IP 
  Management Interface IP Address: 10.10.10.1
  Management Interface Netmask: 255.255.255.0
  Management Interface Default Router: 10.10.10.100
  Error in setting management interface IP 
  Management Interface IP Address: 
  Does anyone faced this issue?
  Thanks. 

  Hi,
  Try these:
  1. With the WLC, Please set flow control(in SecureCRT or hperterminal) to none. Once the changes are made, CLI will start working as usual.
   2. Another  common reason can be related to the virtual interface configuration of the controller. In order to resolve this problem, remove the virtual interface and then re-generate it with this command:
  WLC>config interface address virtual 1.1.1.1
  Then, reboot the controller. After the controller is rebooted, re-generate the webauth certificate locally on the controller with this command:
  WLC>config certificate generate webauth
  In the output of this command, you should see this message: Web Authentication certificate has been generated.
  Now, you should be able to access the secure web mode of the controller upon reboot.
  3. Try to use some diff IP address for service interface don't use 1.1.1.1.
  Regards
  Dont forget to rate helpful posts

• Mobility group only works using management interface?

  Hello,  in order to stablish the control traffic between 2 WLC-5508, it's necessary to use the management interface??
  It's possible using a dynamic interface o service port ?
  I think it only works with management interface,  but I don't understand the meaning of this text in the Configuration Manual:
  "Mobility control packets can use any interface address as the source, based on routing table."
  Thank you,

  No... mobility communication is done only with the management interface.
  Thanks,
  Scott
  *****Help out other by using the rating system and marking answered questions as "Answered"*****

• WLC 5508 - Ignoring Primary discovery request received on non-management interface (2) from AP

  Hello,
  Im receving this error on my syslog server:
  capwap_ac_sm.c:1443 Ignoring Primary discovery request received on non-management interface (2) from AP
  already checked the configuration and everything seems ok. They are registered and with clients associated.
  What could be the cause?
  Thanks in advance,
  Chris

  Thanks Scott for your fast response.
  No, I'm not using LAG.
  What do you mean with separate AP Managers?
  I have one AP Manager on vlan 100 (10.100.0.25) and the Management interface on the same Vlan (10.100.0.26)
  And users use vlan 150 (10.150.0.x).
  The switch port where the AP is plugged is configured with:
  interface GigabitEthernet2/0/20
  switchport access vlan 100
  switchport mode access
  spanning-tree portfast
  On WLC I can also check the AP history:
  Last Error Occurred Reason            Layer 3 discovery request not received on management interface

• WLC 5508 AP-Manager interface

  Hi, I own a WLC 5508 and I (probably) do not understand AP-Manager interfaces. I have a lab with 2x 1242AG and 1x 1252AG connected to c2960. APs are in vlan 10 (192.168.10.0/24, configured via DHCP), APs are connected to "switchport mode access" interface. c2960 is connected via a trunk to c4506, and WLC is plugged in gi1/3 and gi1/4 (both through twingig). Both ports are configured as "switchport mode trunk". Management interface on WLC is on WLC port 8 (connected to gi1/4), and AP-Manager is on WLC port 1 (connected to gi1/3). Management interface on WLC has "Dynamic AP management" set to disabled, and AP-Manager has it set to enabled. Both, Management and AP-Manager interfaces are tagged, vlan id 12 and 13 (subnets 192.168.12.0/24, 192.168.13.0/24) respectively. APs receive their IP configuration via DHCP (server located in vlan 20, 192.168.20.0, ip helper-address in use), and try to discover WLC by DNS resolution (CISCO-CAPWAP-CONTROLLER.some.domain resolves to AP-Manager IP correctly). But APs do not join to controller, WLC says "Ignoring discovery request received on non-management interface", AP has "not joined" status in Monitor/Statistics/AP Join.
  But if I set management interface as "Dynamic AP enabled", and change DNS to resolve CISCO-CAPWAP-... to it's IP everything works fine - AP joins at once. Please help, how to join LAP to AP-Manager interface? Join to WLC manager is simple, but my design requires at least 2 AP-Manager interfaces.

  Hello,
  I just wanted to mention foremost; a split LAG configuration is not supported on the WLCs.  This "can" be achieved if you are splitting your LAG ports amongst VSS configuration on your two capable devices, but is not a recommended or supported configuration. I would highly suggest a LAG configuration over your individual port.  As far as the "ap-manager" concern you have of managing more than 48 APs, you are correct in that the AP-manager cannot handle more than 48 APs, however only when in an individual port configuration.  The LAG will overcome this limitation.
  George was correct about your DNS entry, this needs to point to the WLC's management interface.  This is why the AP joined when you pointed the DNS entry back to the management address-- as intended.
  This link is anchored to the mgmt, ap-manager, and dynamic interface creation for the 7.0.116.0 Config Guide: http://www.cisco.com/en/US/docs/wireless/controller/7.0MR1/configuration/guide/cg_ports_interfaces.html#wp1286790
  "If" you want to keep an individual port configuration, and need more than 60 APs connected, you will need to create more than one "ap-manager" interface.  You will just make a new dyanamic intreface and place it on the same network as the current ap manager (ie, management interface) and mark it for dynamic ap management.  All APs will still need to only see the management interface for joining; the WLC will assign to the appropriate AP manager as needed.  The WLC will fill up the first AP manager before joining building tunnels through the next AP-manager interface, so in your lab you will not really be able to test this behavior, assuming the 3-4 APs you were using.
  1. You can keep your management interface with "dynamic ap management" enabled so this serves as the first AP manager; if you desire. 
  2. You will need to create another dynamic interface mapped to the next port.  enabled "dynamic ap management" again here, and place this new "ap-manager" interface on the same vlan as the mgmt.  Keep in mind creating a dynamic interface and designating it as an AP manager prevents mapping that interface to a WLAN, see note below.
  *NOTE (from config guide): When you enable this feature, this dynamic interface is configured as an AP-manager interface (only one AP-manager interface is allowed per physical port). A dynamic interface that is marked as an AP-manager interface cannot be used as a WLAN interface.
  I would highly suggest the LAG configuration so there is no need to worry about the ap manager interfaces, regardless of the number of APs communicating. This also allows for growth if WLC needs to be licensed for more and more APs.

• Is it possible to have 2500 series management interface out of band of APs?

  I currently have 2500 series WLCs. Our wireless network is completely separate from our internal network, keeping the WLC from talking to any internal servers. The company would like to start using AD(LDAP authentication) for end users while still keeping the APs on a completely separate network. Since the 2500 series does not support a "service port", Is there any way to move the management port out-of-band with no access to APs and just use the other ports for AP management?

  I haven't had my morning coffee ... But let me give this a shot..
  I am going to say no. The managment interface is needed for APs to join. If you isloate this interface no APs can join. Even if AP managers are used, the AP requries to touch the managment interface when booting up.
  "Satisfaction does not come from knowing the solution, it comes from knowing why." - Rosalind Franklin
  ‎"I'm in a serious relationship with my Wi-Fi. You could say we have a connection."
  "Im like bacon, I make your wireless better"