Interface on asa.
Hi ,
I have connected a firewall inside interface to l3 switch.
on l3 switch
int gi0/1
no switchport
ip address 192.168.10.1 255.255.255.0
no shut
on firewall
int gi0/1
nameif inside
security level 100
ip address 192.168.10.2 255.255.255.0
If i ping to 192.168.10.2 from firewall thus it ping.
As i know inside host can ping to inside interface.But not any opposite interface such as dmz etc.(need access-list)
Hi Prashant,
Here are two things involved.
1. Ping to the far end interface.
The ASA will not allow to ping the far end interface, for example is you are a host connected on the Inside network and ping the Inside interface the ASA will reply, but if you try to ping the DMZ interface from a host on the inside this will not answer and is expected.
2. Permit traffic from lower to higer interfaces.
All the traffic from higher interface level to lower interface level is permitted by default but is deny the other way around, from lower to higher.
If you need to permit traffic from lower to higher you need to enter a access-list on the lower level interface to permit traffic to the higher security level (If you are on version 8.2 or earlier you might need to add a NAT rule)
For example:
Inside security level 100
Outside security level 0
Inside host 192.168.1.1
access-list outside_access_in permit ip any host 192.168.1.1
access-group outside_access_in in interface outside
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00806745b8.shtml
I hope these helps.
Regards
Godfrey
Similar Messages
-
IPSec tunnel on sub-interface on ASA 5510
Hello All,
I working on a security solution using ASA firewall and need some technical advice on ASA. Is it possible to setup a IPSec tunnels on each subinterface of a physical interface on ASA 5510?
I would be greatul if someone please reply post this with some details.
Regards,
MudsHi Jennifer,
Thanks very much for your reply. I understand where you coming from, but the reason of using sub-interfaces is that, we have only one physical interface on the firewall connected to the MPLS cloud, and we need to setup a seperate IPSec tunnels for each client for security and integrity. In the current scenario, I have static peers and we can easily setup a static route to peer address.
Many thanks for your assistance, please feel free to to advise if you have any other suggestion.
Regards,
Muds -
Impact of Deleting interface from ASA
Hi Everyone,
During our maintenance window i need to delete few interfaces from ASA.
In ASDM when i filter by these interface names i see many acl configured for these interfaces but ACL have different name as compare to interface
name.
If i delete the interface will it also delete all those ACLs and any object groups configured under interface subnets?
Or
What else will be deleted when i delete the interface from ASA?
Regards
MAheshYou would have to re write that ACL entry as it will either be deleted or the reference to the inside interface will be deleted and the rest of the ACL will remain. When I tested it my ACL remained but the name of the interface was removed. As I mentioned I am testing this on an 8.4 box so it is possible that in newer versions this ACL will be deleted.
the access-group inside_access_in in interface inside command will be deleted once you delete the inside interface...actually you don't need to delete the inside interface for it to be deleted, you only need to remove the nameif command from the interface. once the nameif is removed from the interface, all commands that reference that name will also be deleted.
This is why I stated that you should assume that all commands that reference the name of the interface you are deleting will also be deleted. That would include, but not limited to, ACLs, NAT, Policy maps, and static routes...just to name a few.
Please remember to select a correct answer and rate helpful posts -
Do the sub-interface of ASA firewall has limit of bandwidth
do the sub-interface of ASA firewall has limit of bandwidth? or how does the bandwidth of the physical interface divided among the sub-interface? is there a cisco documentation url link that explains this?
Nakayama-san,
The configuration recommendation to limit the traffic entering the router was intended for legacy (i.e. non-ISR routers). Since you are using a 2811, I would recommend that you test WAAS without these limitations configured.
Thanks,
Zach -
Unable to see interface on ASA 5510 Firewall
Hi All,
I am unable to see 4th interface on my firewall i.e fastether0/3 on my firewall ASA 5510.
Below is the output.
ciscoasa# sh int ip br
Interface IP-Address OK? Method Status Protocol
Ethernet0/0 x.x.x.x YES CONFIG up up
Ethernet0/1 x.x.x.x YES CONFIG up up
Ethernet0/2 unassigned YES unset administratively down down
Internal-Control0/0 127.0.1.1 YES unset up up
Internal-Data0/0 unassigned YES unset up up
Management0/0 192.168.1.1 YES CONFIG up up
Please suggest what could be the reason.
Regards
PankajHi Ramraj,
Even i have the base license for my ASA 5510 which is showing all the 4 interfaces in sh ver. I don't think so license would be an issue. There should be some IOS code bug that needs to be upgraded. If this goes for an OS upgrade it should get resolved.
Its not showing up in sh ver . As Karsten said he might be running on old IOS version.
fy-a# sh ver
Cisco Adaptive Security Appliance Software Version 8.4(4)1
Device Manager Version 6.4(5)
Compiled on Thu 14-Jun-12 11:20 by builders
System image file is "disk0:/asa844-1-k8.bin"
Config file at boot was "startup-config"
fy-a up 1 day 1 hour
Hardware: ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1600 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.06
Number of accelerators: 1
0: Ext: Ethernet0/0 : address is 2c54.2d0c.8f1a, irq 9
1: Ext: Ethernet0/1 : address is 2c54.2d0c.8f1b, irq 9
2: Ext: Ethernet0/2 : address is 2c54.2d0c.8f1c, irq 9
3: Ext: Ethernet0/3 : address is 2c54.2d0c.8f1d, irq 9
4: Ext: Management0/0 : address is 2c54.2d0c.8f1e, irq 11
5: Int: Not used : irq 11
6: Int: Not used : irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited perpetual
Maximum VLANs : 50 perpetual
Inside Hosts : Unlimited perpetual
Failover : Disabled perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
Security Contexts : 0 perpetual
GTP/GPRS : Disabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 250 perpetual
Total VPN Peers : 250 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
This platform has a Base license.
Serial Number: JMX1AXXXXX
Running Permanent Activation Key: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Configuration register is 0x1
Configuration has not been modified since last system restart.
fy-a#
Ramraj please do correct me if am wrong.
Please do rate if the given information helps.
By
Karthik -
Help with Slow access or NAT to Inside Interface on ASA 9.1
I am hoping someone can help me figure this out, I did this on the PIX and it worked like a charm, but I am having some difficulty translating the configuration to an ASA.
In the PIX I performed NAT on outside traffic to a specific inside host (web server) to map to the inside interface so that return traffic would go to the same firewall the traffic came in through, The reason for this configuration was because the gateway of last resort was a different firewall and not the firewall the traffic came in through.
Now to further give you some history, the gateway of last resort is an ASA running 9.1 (Now), prior to that it was a PIX with v8.0(4), traffic to the aforementioned web server came in through the gateway of last resort), which at the time was the PIX.
However, for some reason after swapping the PIX for an ASA (same rules, updated NAT rules for 9.1) access to the same web server is slow. Not sure why, but it’s the case. To alleviate the slowness we experienced, and until I can figure out why this occurs on the ASA, I placed a PIX on the network that only listens for traffic for the web server in question. On this PIX I map to the inside interface so that traffic flow works and external clients can access the web server with no issues.
So two questions, one I would like to use the configuration I have for the web server on the PIX on the ASA to see if that setup on the ASA works better, but having difficulty translating the rules to the ASA.
Second question, has anyone experienced this type of issue (Slow access with ASA to a web server, but fast with PIX to the same web server)?
Attached a diagram of what I am currently doing?
Any help is appreciated.
Thanks.
P.S. Addresses in attached picture config are not real, but I know what they translate to.Hi,
To me you it would seem that you are looking for a NAT configurations something like this
object network SERVER-PUBLIC
host 197.162.127.6
object network SERVER-LOCAL
host 10.0.1.25
nat (outside,inside) source dynamic any interface destination static SERVER-PUBLIC SERVER-LOCAL
It will do a NAT for both the source and destination address in a single NAT configurations. It defines that a Dynamic PAT to the "inside" interface will be done for "any" traffic entering from the "outside" WHEN the destination is the SERVER-PUBLIC IP address. Naturally the SERVER-PUBLIC will untranslated to the SERVER-LOCAL in the process as this configuration handles 2 translations.
I dont know if this changes the situation at all but it should be the configuration format to handle the translation of external host to the internal interface IP address and only apply when this single public IP address is conserned.
Hope this helps
Remember to mark the reply as the correct answer if it answered your question. And/or rate helpfull answers.
Ask more if needed
- Jouni -
Can't SSH to inside interface on ASA
Hi there
I have generated the key and can ssh to outside interface. I have allowed access on inside interface. I can telnet but not ssh. I captured packets and can see incoming only. Any ideas?
TIA
Sent from Cisco Technical Support iPhone AppHi there,
Here it is -
asa01(config)# sh cap capin
4 packets captured
1: 21:59:03.583343 802.1Q vlan#240 P0 192.168.1.2.56686 > 192.168.1.1.22: S 2251599477:2251599477(0) win 4128
2: 21:59:05.586990 802.1Q vlan#240 P0 192.168.1.2.56686 > 192.168.1.1.22: S 2251599477:2251599477(0) win 4128
3: 21:59:09.588577 802.1Q vlan#240 P0 192.168.1.2.56686 > 192.168.1.1.22: S 2251599477:2251599477(0) win 4128
4: 21:59:17.591659 802.1Q vlan#240 P0 192.168.1.2.56686 > 192.168.1.1.22: S 2251599477:2251599477(0) win 4128
4 packets shown
asa01(config)#
asa01(config)# sh cap asp
0 packet captured
0 packet shown
asa01(config)#
Can you ping the Switch interface from the ASA? - Yes
Can you ping the ASA from the switch? - Yes -
SSH on Outside interface on ASA 5510
Hi All,
I need the ssh access on my ASA outside interface and have added
ssh ipremoved 255.255.255.255 outside
access-list acl_outside extended permit tcp host ipremoved any eq 22
but this is the log i get from ASA
Oct 06 2012 16:10:04: %ASA-3-710003: TCP access denied by ACL from ipremoved/39884 to outside:ipremoved/22
Cisco Adaptive Security Appliance Software Version 8.2(5)
Device Manager Version 6.4(5)
can someone please help me
many thanks
cheers..many thanks for the quick reply
my connection is something like below
Site A Site B
PC--10.6.40.148 ---- ASA public IP -------------cloud --------------------public IP ASA
Site to Site IPsec VPN
Am able to ssh to the ASA on the private ip management interface, now i need to ssh to the site B public IP to manage
I have allowed the acl on site A ASA for the PC to go i can see the hit count on it
The reason being i need to manage the Site B ASA on public because on Site A am changing the internet provider and so if i have the acces to site B ASA i can change the peer IP to new IP and reestablish the VPN
many thanks for the help
cheers -
Unable to ping from mz to virtual interface of asa
Dear All,
one of my SNMP server 10.242.103.42 sits in MZ zone,and ACE 4710 is connected to core switch,coreswitch is connected to firewall asa.
Now iam trying to ping from MZ zone SNMP server to loadbalancer ip 10.242.105.1,iam unable to ping my LB interface to discover SLB on my SNMP server.
plese help me
srinivasIs your device seeing the mac-address of the ASA in order to send the packets? What do the logs show on the firewall itself? Can you see the ARP entry on the ASA firewall for that host?
Mike -
Routing Issue Accessing Inside Interface of ASA
Ok so I'm making this more complex than it needs to be and can't see the forest for the trees. I'm setting up an ASA 5510 with multiple contexts. I'm working with my main internal context for my internal traffic. I have created interfaces on this context as follows:
interface Ethernet0/0.1
description outside interface
nameif outside
security-level 0
ip address 1.1.1.2 255.255.255.252
interface Ethernet0/1.1
description inside interface for internal context
nameif inside
security-level 100
ip address 10.10.50.150 255.255.0.0
same-security-traffic permit intra-interface
route outside 0.0.0.0 0.0.0.0 1.1.1.1
NOTE: Also has ssh configuration but can't document that here.
My workstation has an IP 10.10.30.20 255.255.0.0 with a default gateway that points to my core switch (10.10.50.151).
When I try to access the inside interface of the ASA via ssh from my workstation I can't connect. I tried to ping the inside interface IP address of the ASA from my workstation and it doesn't reply. I can however ping anything on my internal network from the ASA through the inside interface. What am I missing on this?
Thanks.I figured out this issue but now have a new issue. The problem I had accessing the internal network from the ASA was due to the core switch I was being routed through. After looking at the core I saw that the default route was redirecting all traffic to the IP address of the inside interface on the production ASA. I have since pulled a spare switch and created an isolated network with a laptop and the inside interface on the new ASA. This worked great.
Now to my new problem. I am trying to access our ISPs external address from the ASA. The ISP has provided us with two vlans (100 and 101) on one connection and has given us two public IPs (one is the IP for the router on their end and the second is the IP I am supposed to use on my outside interface for vlan 100). I have created sub-interfaces on my outside interface and defined 0/0.1 as vlan 100 and 0/0.2 as vlan 101. VLAN 101 will go to our rack at our disaster recovery site so it will just be an extension of our existing network.
My network is as follows:
ISP (IP 2.2.2.1)
|
|
3560-CG switch (both ports -- to ISP and ASA outside interface are configured as trunk ports)
|
|
ASA (outside 2.2.2.2 vlan 100)
When I try to ping the 2.2.2.1 address from the ASA it doesn't work. If both my ASA outside port and the port to the ISP are both trunk ports shouldn't it route both VLANs (100 and 101) without any issue or am I missing something in my thinking?
Thanks. -
Not able to telnet or ssh to outside interface of ASA and Cisco Router
Dear All
Please help me with following question, I have set up testing lab, but still not work.
it is Hub and spoke site to site vpn case, connection between hub and spoke is metro-E, so we are using private ip for outside interface at each site.
Hub -- Juniper SRX
Spoke One - Cisco ASA with version 9.1(5)
spoke two - Cisco router with version 12.3
site to site vpn has been successful established. Customer would like to telnet/ssh to spoke's outside ip from Hub(using Hub's outside interface as source for telnet/ssh), or vise versa. Reason for setting up like this is they wants to be able to make configuration change even when site to site vpn is down. Sound like a easy job to do, I tried for a long time, search this forum and google too, but still not work.
Now I can successfully telnet/ssh to Hub SRX's outside interface from spoke (ASA has no telnet/ssh client, tested using Cisco router).
Anyone has ever done it before, please help to share your exp. Does Cisco ASA or router even support it?
When I tested it, of cause site to site vpn still up and running.
Thanks
YKHello YK,
On this case on the ASA, you should have the following:
CConfiguring Management Access Over a VPN Tunnel
If your VPN tunnel terminates on one interface, but you want to manage the ASA by accessing a different interface, you can identify that interface as a management-access interface. For example, if you enter the ASA from the outside interface, this feature lets you connect to the inside interface using ASDM, SSH, Telnet, or SNMP; or you can ping the inside interface when entering from the outside interface. Management access is available via the following VPN tunnel types: IPsec clients, IPsec LAN-to-LAN, and the AnyConnect SSL VPN client.
To specify an interface as a mangement-only interface, enter the following command:
hostname(config)# management access management_interface
where management_interface specifies the name of the management interface you want to access when entering the security appliance from another interface.
You can define only one management-access interface
Also make sure you have the pertinent configuration for SSH, telnet, ASDM and SNMP(if required), for a quick test you can enable on your lab Test:
SSH
- ssh 0 0 outside
- aaa authentication ssh console LOCAL
- Make sure you have a default RSA key, or create a new one either ways, with this command:
*crypto key generate rsa modulus 2048
Telnet
- telnet 0 0 outside
- aaa authentication telnet console LOCAL
Afterwards, if this works you can define the subnets that should be permitted.
On the router:
!--- Step 1: Configure the hostname if you have not previously done so.
hostname Router
!--- aaa new-model causes the local username and password on the router
!--- to be used in the absence of other AAA statements.
aaa new-model
username cisco password 0 cisco
!--- Step 2: Configure the router's DNS domain.
ip domain-name yourdomain.com
!--- Step 3: Generate an SSH key to be used with SSH.
crypto key generate rsa
ip ssh time-out 60
ip ssh authentication-retries 3
!--- Step 4: By default the vtys' transport is Telnet. In this case,
!--- Telnet and SSH is supported with transport input all
line vty 0 4
transport input All
*!--- Instead of aaa new-model, the login local command may be used.
no aaa new-model
line vty 0 4
login local
Let me know how it works out!
Please don't forget to Rate and mark as correct the helpful Post!
David Castro,
Regards, -
WCCP on ASA & traffic between physical interfaces on ASA
Hello,
I am trying to get WCCP working on the ASA for WAAS implementation. Here is a simple snapshot of my config:
Eth 0/0 : Outside (to internet)
Eth 0/1 : Vlan1 (20.20.0.0/16) (trunk port to remote office LAN)
Eth 0/1.211 : Vlan211 (20.21.10.0/24)
Eth 0/1.212 : Vlan212 (20.21.20.0/24)
Eth 0/1.220 : Vlan220 (20.22.0.0/16)
Eth 0/2 : WAAS (20.21.30.0/24)
I have the site to site tunnel working. I can ping the WAAS device from the other end of the tunnel but I cannot ping it from the 20.20.0.0/16 network. I have enabled traffic between interfaces on same security level as WAAS and LAN have same security.
I get this error message:
3 Feb 12 2007 17:54:05 305006 20.20.10.101 portmap translation creation failed for icmp src WAAS:20.21.30.230 dst LAN:20.20.10.101 (type 8, code 0)
How can I fix this?
My second question is regarding WCCP on ASA. Here is the WCCP part of the config I have:
wccp 61 redirect-list WCCP_To_LAN
wccp 62 redirect-list WCCP_To_WAN
wccp interface outside 62 redirect in
wccp interface LAN 61 redirect in
access-list WCCP_To_LAN extended permit ip any 20.20.0.0 255.252.0.0
access-list WCCP_To_WAN extended permit ip 20.20.0.0 255.252.0.0 any
I am not seeing any packets being redirected to the WAE. I once changed the access lists to 'any any' and I saw some packets but I couldn't ping or telnet to the remote site. Could it be a loop? Is there any way to exclude traffic to avoid loop?
Thanks
Ankitcommon guys
Am I doing something wrong here?
No one replies to my posts. I had the same experience with the previous one.
Is this not the right forum for this query???
Ankit -
SSH does not work in inside interface in ASA
I am able to run ASM but I can't run SSH from inside interface. Does anyone know how can I start to debug the problem? I checked all the setting for enable ssh, I setup it the same way as an instruction.
aaa authentication ssh console LOCAL
ssh 192.168.0.0 255.255.255.0 inside
crypto key generate rsa modulus 1024
What I am missing here? I also have username and password for admin.
ThanksHere is the show ver
Result of the command: "show ver"
Cisco Adaptive Security Appliance Software Version 8.2(3)3
Device Manager Version 6.2(5)53
Compiled on Wed 25-Aug-10 21:43 by builders
System image file is "disk0:/asa823-3-k8.bin"
Config file at boot was "startup-config"
ciscoasa up 207 days 6 hours
Hardware: ASA5510, 1024 MB RAM, CPU Pentium 4 Celeron 1599 MHz
Internal ATA Compact Flash, 256MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024KB
Encryption hardware device : Cisco ASA-55x0 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.04
0: Ext: Ethernet0/0 : address is 5475.d050.7f46, irq 9
1: Ext: Ethernet0/1 : address is 5475.d050.7f47, irq 9
2: Ext: Ethernet0/2 : address is 5475.d050.7f48, irq 9
3: Ext: Ethernet0/3 : address is 5475.d050.7f49, irq 9
4: Ext: Management0/0 : address is 5475.d050.7f45, irq 11
5: Int: Not used : irq 11
6: Int: Not used : irq 5
Licensed features for this platform:
Maximum Physical Interfaces : Unlimited
Maximum VLANs : 50
Inside Hosts : Unlimited
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
Security Contexts : 0
GTP/GPRS : Disabled
SSL VPN Peers : 2
Total VPN Peers : 250
Shared License : Disabled
AnyConnect for Mobile : Disabled
AnyConnect for Cisco VPN Phone : Disabled
AnyConnect Essentials : Disabled
Advanced Endpoint Assessment : Disabled
UC Phone Proxy Sessions : 2
Total UC Proxy Sessions : 2
Botnet Traffic Filter : Disabled
This platform has a Base license.
Serial Number: JMX1420L3JW
Running Activation Key: 0x8b0edb7c 0x4cee2474 0x34813190 0x90e01484 0x0d2211b2
Configuration register is 0x1
Configuration last modified by cdinh at 15:36:53.519 PDT Mon Jul 29 2013 -
Reg. Redundant interfaces in ASA 8.0
Hi
In ASA 8.0,I have following queries related to redundant interfaces
a)While configuring redundant interface can the redundant interface again be divided into logical interface like red1.1 , red1.2 ?
b)Is Redundant interface supported in the Multiple context mode
Regards
AnkurYes Ankur,it is possible.
##snippet##
interface Ethernet0/0
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/1
speed 100
nameif inside
security-level 100
ip address 192.168.16.19 255.255.255.128
ospf network point-to-point non-broadcast
ospf message-digest-key 123 md5
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
nameif null0
security-level 50
ip address 10.2.1.1 255.255.255.0
interface Management0/0
no nameif
security-level 0
no ip address
interface Redundant1
member-interface Ethernet0/0
member-interface Ethernet0/2
no nameif
no security-level
no ip address
interface Redundant1.1
vlan 32
no nameif
no security-level
ip address 1.1.1.8 255.0.0.0
Regards,
Sushil -
AIM-SSM interfaces and ASA 5510
All, can anyone explain if and how routing works between the ASA and the IPS card?
1)Is the single NIC in the IPS card for management purposes only?
2)Is the IP address configured in the card's setup process for this one NIC?
3) need there be any routing between e.g. the ASA management or any other interface and the card management interface or can they reside on completely separated networks?
Thanks
JonathanThe IPS card has 3 interfaces.
The management interface is external interface that you plug a network cable in to. The IP address is configured by the user during setup.
The sniffing interface is the internal interface on the ASA data backplane. No IP address is ever assigned to this interface.
The control plane interface is an internal interface on the ASA control plane so that the ASA can communicate internally to the SSM (the session command runs through this interface). The control plane IP address is controlled by the ASA and not user configurable,
The management interface is for management only.
The IP Address configured during setup is only for this management interface.
As for routing between the ASA and the SSM, this is completely up to the user.
All communication from the ASA to the SSM is done internally through the control plane interface and so the ASA itself does not need to know how to communicate to the SSM management IP.
The SSM, however, does need to communicate from it's management IP to one of the ASA interfaces in order to do Blocking/Shunning on the ASA. Blocking/Shunning is not done through the control plane.
When using IDM or ASDM for configuration the java applet web browses to the SSM management IP so the machine running IDM or ASDM must either be on the local network of the management port of the SSM, or be routable to the network.
Some scenarios:
1) Only one machine (IDS MC/Sec Mon) communicating with the SSM. In this scenario you could take a crossover cable and directly connect the one machine to the SSM.
The SSM can then communicate only to that one machine.
2) A secure network for managing the security devices that is NOT routable to/from other networks.
In this scenario the management box, the management port of the SSM, and the management port of the ASA would all be placed on this one network.
The SSM would only be able to communicat with the management box, and the ASA management port.
The ASA management port is configured as a management-only port so the ASA will not route in/out of the management network.
SO only the management box on that local network can communicate with the SSM, and no remote boxes can connect directly to the SSM.
(NOTE: Blocking/Shunning will work here because the SSM can talk to the ASA)
3) A secure network that IS routable to/from other networks.
Similar to option 2 above, but in this scenario the management port of the ASA is configured to NOT be a "management-only" port, and is instead treated like any other port on the firewall. In this setup the management port of the ASA CAN route in/out of the management network.
NOTE: In most cases the ASA will need to configure a NAT address for the SSM management IP if users intend to connect to the SSM management IP remotely from the Internet (like running ASDM from the company main network over the internet to configure the ASA and the SSM at a remote site)
4) SSM management IP on one of the normal networks behind the ASA. In this scnario the management port of the SSM would be plugged into a switch or hub where other internal machines are plugged in (like plugging into the DMZ switch/vlan). From the ASA standpoint the SSM management port would be treated just like any other web and ssh server behind the firewall.
Maybe you are looking for
-
Define Number Assignment for Goods Receipt/Issue Slips
Hi Experts, please can you help in the creation of manual creation of transport request for the customizing activity "Define Number Assignment for Goods Receipt/Issue Slips": settings for assigning goods receipt/issue slip numbers upon goods movement
-
How to transfer data using the clipboard
Does anyone know how to transfer data (string) from the clipboard to labview? I am trying to write C++ code using win32 API using the calls, OpenClipboard, Getclipboard and CloseClipboard functions. The problem is LV crashes when there is a call to t
-
Pie chart with legend as a column
Watch the Keynote '09 Video Tutorial "Create and Edit a Chart": http://www.apple.com/iwork/tutorials/#keynote-chart . A pie chart is shown where the legend appears as bullets arranged in a column. When I try to create a pie chart, the legend appears
-
Hello, since I upgraded OS X to Mountain Lion, I cannot use the dual screen function. The connector (which worked fine until the upgrade) is not recognized nor the screen on which is connected my macbook. Does anyone has the same issue? How did you f
-
Hi I have a Ipad 1 and a Apple Bluetooth wireless keyboard. I was wondering if there are on buttons on the keyboard which will control the Ipad. James