Question about the man0/0 interface on a Cisco ASA 5510

Posted on 2007-10-01
Last Modified: 2009-05-07
I have a question about the man0/0 interface on the Cisco ASA 5510.  I have a setup like this...

(Inside network, --- Cisco Router --- --- Cisco ASA --- Internet perimeter router --- Internet

Now, I also configured the int man0/0 to have the IP address, which is on the inside network.  I thought that, because the interface is configured as management-only, this would be OK.  But as it turns out, the ASA tries to use this port for routing traffic, and because my default route points to the ASA, I get a routing loop.

Also, I have OSPF configued on the ASA, and the man0/0 interface gets assigned to area 0.

I thought that management-only meant that only specific traffic (http, ssl. snmp, etc.) coming from specific management workstations was allowed.  I didn't expect the interface to try to pass traffic through.  Is this "bad" behavior on the part of my man0/0 port, or is this normal?  

Is there any way I can prevent the man0/0 interface from trying to route traffic?  Or am I just stuck with having to disable man0/0 during normal operation?

Question by:1griffith1
    LVL 16

    Expert Comment

    how many interfaces have you configured on the asa as it is?

    Author Comment

    Four: the man0/0, outside, inside and dmz.  Oh, and the interface on the IPS unit (which doesn't really enter in to it, AFAIK).
    LVL 79

    Expert Comment

    The management interface assumes a dedicated management network or VLAN as is typical "best practice", so this would be expected behavior if you put two interfaces on the same IP subnet, connected to the same VLAN.


    Author Comment

    Well, the ports aren't on the same subnet:

    e0/0 - outside interface
    e0/1 - inside interface, subnet
    e0/2 - dmz interface, subnet
    man0/0 - subnet

    Now, the inside interface is connected to the inside router, and that does have an interace on the subnet, so maybe that's the problem?
    LVL 79

    Accepted Solution

    Yes, it certainly could, if the router is exchanging routes with the ASA over OSPF and it is learning a different route to a locally connected subnet.
    You should be able to use any subnet you want on man0/0 as long as there is no overlap with any other subnets in your network.

    Author Comment

    Thanks for the help.

    Featured Post

    Maximize Your Threat Intelligence Reporting

    Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

    Join & Write a Comment

    We sought a budget ($5,000) firewall solution that would provide all the performance we needed with no single point of failure.  Hosting a SAAS web application in our datacenter, it was critical that we find a way to keep connectivity up and inbound…
    Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
    In this sixth video of the Xpdf series, we discuss and demonstrate the PDFtoPNG utility, which converts a multi-page PDF file to separate color, grayscale, or monochrome PNG files, creating one PNG file for each page in the PDF. It does this via a c…
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    18 Experts available now in Live!

    Get 1:1 Help Now