Having System IP address is a *must* for transparent FW configuration on Cisco ASA. Additionally, you *can* configure Management interface as a dedicated management interface, but to my knowledge Cisco ASA will not use it's address instead of System IP address. The security appliance uses System IP address as the source address for packets that originate on the security appliance, such as system messages or AAA communications. Management interface will be a management-only interface.
Marta Sokolowska. 2012/3/26 Ben Shaw <[email protected]> Hi All > > can someone explain to me the difference between the System IP and > Management IP address when configuring an ASA as a transparent firewall? > > I can't see why the firewall would need a System IP address configured > with the global command below > > TRANFW(config)# ip address* global_ip_add subnet_mask* > > when the firewall already has a Management IP address configured with the > command below > > TRANFW(config)# interface Management0/0 > TRANFW(config-if)# nameif MGMT > TRANFW(config-if)# security-level 100 > TRANFW(config-if)# ip address *mgmt_ip_add subnet_mask* > > The management IP defined on Management0/0 allows me to SSH to the device > via the management network so why is there a need for a global ip address > which when configured is applied to both interfaces paired for transparent > firewalling as shown below > > TRANFW(config)# sh int ip brief > Interface IP-Address OK? Method Status > Protocol > Ethernet0/0 *global_ip_add* YES unset up > up > Ethernet0/1 *global_ip_add* YES unset up > up > Ethernet0/2 unassigned YES unset administratively down up > Ethernet0/3 unassigned YES unset administratively down up > Management0/0 *mgmt_ip_add* YES manual up > up > > Any information on why both these are required would be appreciated as the > firewall will not pass traffic until it is defined with a Global IP address. > > Thanks > Simon >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
