[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2617
  • Last Modified:

Question about the man0/0 interface on a Cisco ASA 5510

I have a question about the man0/0 interface on the Cisco ASA 5510.  I have a setup like this...

(Inside network, 192.168.1.0/24) --- Cisco Router --- 192.168.254.0/30 --- Cisco ASA --- Internet perimeter router --- Internet

Now, I also configured the int man0/0 to have the IP address 192.168.1.15/24, which is on the inside network.  I thought that, because the interface is configured as management-only, this would be OK.  But as it turns out, the ASA tries to use this port for routing traffic, and because my default route points to the ASA, I get a routing loop.

Also, I have OSPF configued on the ASA, and the man0/0 interface gets assigned to area 0.

I thought that management-only meant that only specific traffic (http, ssl. snmp, etc.) coming from specific management workstations was allowed.  I didn't expect the interface to try to pass traffic through.  Is this "bad" behavior on the part of my man0/0 port, or is this normal?  

Is there any way I can prevent the man0/0 interface from trying to route traffic?  Or am I just stuck with having to disable man0/0 during normal operation?

Thanks
0
1griffith1
Asked:
1griffith1
  • 3
  • 2
1 Solution
 
poweruser32Commented:
how many interfaces have you configured on the asa as it is?
0
 
1griffith1Author Commented:
Four: the man0/0, outside, inside and dmz.  Oh, and the interface on the IPS unit (which doesn't really enter in to it, AFAIK).
0
 
lrmooreCommented:
The management interface assumes a dedicated management network or VLAN as is typical "best practice", so this would be expected behavior if you put two interfaces on the same IP subnet, connected to the same VLAN.

0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
1griffith1Author Commented:
Well, the ports aren't on the same subnet:

e0/0 - outside interface
e0/1 - inside interface, subnet 192.168.254.0/30
e0/2 - dmz interface, subnet 172.16.0.0/30
man0/0 - subnet 192.168.1.0/24

Now, the inside interface is connected to the inside router, and that does have an interace on the 192.168.1.0/24 subnet, so maybe that's the problem?
0
 
lrmooreCommented:
Yes, it certainly could, if the router is exchanging routes with the ASA over OSPF and it is learning a different route to a locally connected subnet.
You should be able to use any subnet you want on man0/0 as long as there is no overlap with any other subnets in your network.
0
 
1griffith1Author Commented:
Thanks for the help.
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now