1griffith1
asked on
Question about the man0/0 interface on a Cisco ASA 5510
I have a question about the man0/0 interface on the Cisco ASA 5510. I have a setup like this...
(Inside network, 192.168.1.0/24) --- Cisco Router --- 192.168.254.0/30 --- Cisco ASA --- Internet perimeter router --- Internet
Now, I also configured the int man0/0 to have the IP address 192.168.1.15/24, which is on the inside network. I thought that, because the interface is configured as management-only, this would be OK. But as it turns out, the ASA tries to use this port for routing traffic, and because my default route points to the ASA, I get a routing loop.
Also, I have OSPF configued on the ASA, and the man0/0 interface gets assigned to area 0.
I thought that management-only meant that only specific traffic (http, ssl. snmp, etc.) coming from specific management workstations was allowed. I didn't expect the interface to try to pass traffic through. Is this "bad" behavior on the part of my man0/0 port, or is this normal?
Is there any way I can prevent the man0/0 interface from trying to route traffic? Or am I just stuck with having to disable man0/0 during normal operation?
Thanks
(Inside network, 192.168.1.0/24) --- Cisco Router --- 192.168.254.0/30 --- Cisco ASA --- Internet perimeter router --- Internet
Now, I also configured the int man0/0 to have the IP address 192.168.1.15/24, which is on the inside network. I thought that, because the interface is configured as management-only, this would be OK. But as it turns out, the ASA tries to use this port for routing traffic, and because my default route points to the ASA, I get a routing loop.
Also, I have OSPF configued on the ASA, and the man0/0 interface gets assigned to area 0.
I thought that management-only meant that only specific traffic (http, ssl. snmp, etc.) coming from specific management workstations was allowed. I didn't expect the interface to try to pass traffic through. Is this "bad" behavior on the part of my man0/0 port, or is this normal?
Is there any way I can prevent the man0/0 interface from trying to route traffic? Or am I just stuck with having to disable man0/0 during normal operation?
Thanks
how many interfaces have you configured on the asa as it is?
ASKER
Four: the man0/0, outside, inside and dmz. Oh, and the interface on the IPS unit (which doesn't really enter in to it, AFAIK).
The management interface assumes a dedicated management network or VLAN as is typical "best practice", so this would be expected behavior if you put two interfaces on the same IP subnet, connected to the same VLAN.
ASKER
Well, the ports aren't on the same subnet:
e0/0 - outside interface
e0/1 - inside interface, subnet 192.168.254.0/30
e0/2 - dmz interface, subnet 172.16.0.0/30
man0/0 - subnet 192.168.1.0/24
Now, the inside interface is connected to the inside router, and that does have an interace on the 192.168.1.0/24 subnet, so maybe that's the problem?
e0/0 - outside interface
e0/1 - inside interface, subnet 192.168.254.0/30
e0/2 - dmz interface, subnet 172.16.0.0/30
man0/0 - subnet 192.168.1.0/24
Now, the inside interface is connected to the inside router, and that does have an interace on the 192.168.1.0/24 subnet, so maybe that's the problem?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks for the help.