• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2624
  • Last Modified:

Question about the man0/0 interface on a Cisco ASA 5510

I have a question about the man0/0 interface on the Cisco ASA 5510.  I have a setup like this...

(Inside network, 192.168.1.0/24) --- Cisco Router --- 192.168.254.0/30 --- Cisco ASA --- Internet perimeter router --- Internet

Now, I also configured the int man0/0 to have the IP address 192.168.1.15/24, which is on the inside network.  I thought that, because the interface is configured as management-only, this would be OK.  But as it turns out, the ASA tries to use this port for routing traffic, and because my default route points to the ASA, I get a routing loop.

Also, I have OSPF configued on the ASA, and the man0/0 interface gets assigned to area 0.

I thought that management-only meant that only specific traffic (http, ssl. snmp, etc.) coming from specific management workstations was allowed.  I didn't expect the interface to try to pass traffic through.  Is this "bad" behavior on the part of my man0/0 port, or is this normal?  

Is there any way I can prevent the man0/0 interface from trying to route traffic?  Or am I just stuck with having to disable man0/0 during normal operation?

Thanks
0
1griffith1
Asked:
1griffith1
  • 3
  • 2
1 Solution
 
poweruser32Commented:
how many interfaces have you configured on the asa as it is?
0
 
1griffith1Author Commented:
Four: the man0/0, outside, inside and dmz.  Oh, and the interface on the IPS unit (which doesn't really enter in to it, AFAIK).
0
 
lrmooreCommented:
The management interface assumes a dedicated management network or VLAN as is typical "best practice", so this would be expected behavior if you put two interfaces on the same IP subnet, connected to the same VLAN.

0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
1griffith1Author Commented:
Well, the ports aren't on the same subnet:

e0/0 - outside interface
e0/1 - inside interface, subnet 192.168.254.0/30
e0/2 - dmz interface, subnet 172.16.0.0/30
man0/0 - subnet 192.168.1.0/24

Now, the inside interface is connected to the inside router, and that does have an interace on the 192.168.1.0/24 subnet, so maybe that's the problem?
0
 
lrmooreCommented:
Yes, it certainly could, if the router is exchanging routes with the ASA over OSPF and it is learning a different route to a locally connected subnet.
You should be able to use any subnet you want on man0/0 as long as there is no overlap with any other subnets in your network.
0
 
1griffith1Author Commented:
Thanks for the help.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now