Management IP will be mostly OOB and is meant for management. It should not be used in the data plane. BTW, you can disable mgmt role but that is a different story.
With regards Kings On Wed, Mar 28, 2012 at 9:47 PM, Ben Shaw <[email protected]> wrote: > Hi Peter > > thanks for the clarification. Your message does explain three things for > me: > > 1. Why the firewall will not forward packets without the global IP defined > 2. Why often the first ping to a host for which the ASA does not the MAC > address times out - the ASA is itself ARPing and pinging for the host > 3. Why the global IP needs to be configured on the same subnet as the > bridged networks > > From what I have read and been told however, the global IP is also used as > a source address for AAA, syslog etc which didn't make much sense to me > personally when I would have thought the IP address applied to the > Management interface had this role. From your knowledge, is the global IP > uses for any management tasks at all? > > Thanks > Simon > > > Date: Wed, 28 Mar 2012 16:42:26 +0200 > > Subject: ASA Transparent FW - System vs Management IP > > From: [email protected] > > To: [email protected] > > CC: [email protected] > > > > > This had been answered some time ago: > > > http://www.onlinestudylist.com/archives/ccie_security/2011-July/027319.html > > > > Here it goes: > > > > 2011/7/12 Peter Debye <pdebye at gmail.com> > > > > > On a classical transparent bridge neither IP address would be needed > > > to pass traffic. > > > But cisco ASA uses somewhat special handling for unknown destination > > > unicast > > > flooding: if the destination MAC is not in the table then ASA arp's and > > > ping's > > > for the destination IP to find out which interface it to send the > > > frame. For this > > > some IP is needed, and therefore it must be configured. > > > Also, in multi-context mode the IP of each context is used to classify > > > incoming frames. > > > > > > I can argue however that arping and pinging is probably not a best > > > solution: > > > -- what about the non-IP frames? > > > -- since the transparent FW can only have two interfaces (ports) what > > > could be the the problem sending the unknown MAC frame out the other > > > interface always, like a classical 2-port transparent bridge would do? > > > > > > P. > > > ================================== > > > > > > > On Tue, Jul 12, 2011 at 4:09 PM, Piotr Matusiak <piotr at howto.pl> > wrote: > > > > > > > >> Let me ask a tricky questions then: > > > >> What if I configure IP address on m0/0 interface and will use it for > > > >> management? > > > >> Is configuring IP address in global config mode still required? > > > >> > > > >> Regards, > > > >> Piotr > > > >> > > > > > ========================================================= > > > > Date: Wed, 28 Mar 2012 13:42:24 +0000 > > From: Ben Shaw <[email protected]> > > To: CCIE Study List <[email protected]> > > Subject: Re: [OSL | CCIE_Security] ASA Transparent FW - System vs > > Management IP > > Message-ID: <[email protected]> > > Content-Type: text/plain; charset="iso-8859-1" > > > > > > Can anyone give me more information on why an ASA in transparent mode > > uses two IP addresses (global and management) when a layer 2 switch > > gets by with only for its management tasks? Is the second IP address > > required for some additional functionality for the ASA? I mean an ASA > > in Routed mode does not need more IP addresses than a router for it's > > management so why does a transparent firewall need more IP addresses > > than a switch? > > > > From: [email protected] > > To: [email protected] > > CC: [email protected] > > Subject: RE: [OSL | CCIE_Security] ASA Transparent FW - System vs > Management IP > > Date: Mon, 26 Mar 2012 07:44:54 +0000 > > > > Thanks Marta, > > > > the design just seems a bit bizarre to me. I had an understanding of > > what the System IP was for but wondering why it needed to be done like > > that. > > > > I mean, the System IP address can effectively place an IP address on > > the same layer 2 broadcast domain as those networks being bridge > > making the ASA reachable via hosts either side of the transparent > > firewall. I don't know why one would need let alone want this to the > > case, especially considering the fact the ASA has another IP address > > for the management interface which should be on a seperate OOB > > management network. > > > > Why wouldn't the firewall just use the management interface/IP address > > that can then be connected to a dedicated management network for use > > as the source for AAA, syslog etc. I suppose I am comparing the > > operating of a Layer 2 switch which bridges layer 2 networks but has > > one Layer 3 ip address for its management interface. There is no need > > for an second layer 3 address on a layer 2 switch for management > > purposes, the single layer 3 address is sufficient for all management > > requires such as SSH, AAA, Syslog, SNMP etc. > > > > When compared in this way to a layer 2 switch, I just don't see why > > the ASA needs two IP addresses for management when in transparent mode > > when it can all be done with one from what I can see. > > > > Any thoughts on this? > > > > Thanks > > > > Date: Mon, 26 Mar 2012 09:22:11 +0200 > > Subject: Re: [OSL | CCIE_Security] ASA Transparent FW - System vs > Management IP > > From: [email protected] > > To: [email protected] > > CC: [email protected] > > > > Having System IP address is a must for transparent FW configuration on > > Cisco ASA. Additionally, you can configure Management interface as a > > dedicated management interface, but to my knowledge Cisco ASA will not > > use it's address instead of System IP address. The security appliance > > uses System IP address as the source address for packets that > > originate on the security appliance, such as system messages or AAA > > communications. Management interface will be a management-only > > interface. > > > > Marta Sokolowska. > > > > 2012/3/26 Ben Shaw <[email protected]> > > > > > > Hi All > > > > can someone explain to me the difference between the System IP and > > Management IP address when configuring an ASA as a transparent > > firewall? > > > > I can't see why the firewall would need a System IP address configured > > with the global command below > > > > > > TRANFW(config)# ip address global_ip_add subnet_mask > > > > when the firewall already has a Management IP address configured with > > the command below > > > > > > TRANFW(config)# interface Management0/0 > > TRANFW(config-if)# nameif MGMT > > TRANFW(config-if)# security-level 100 > > > > TRANFW(config-if)# ip address mgmt_ip_add subnet_mask > > > > The management IP defined on Management0/0 allows me to SSH to the > > device via the management network so why is there a need for a global > > ip address which when configured is applied to both interfaces paired > > for transparent firewalling as shown below > > > > > > TRANFW(config)# sh int ip brief > > Interface IP-Address OK? Method Status Protocol > > > > Ethernet0/0 global_ip_add YES unset up up > > Ethernet0/1 global_ip_add YES unset up up > > > > Ethernet0/2 unassigned YES unset administratively down up > > Ethernet0/3 unassigned YES unset administratively down up > > > > Management0/0 mgmt_ip_add YES manual up up > > > > Any information on why both these are required would be appreciated as > > the firewall will not pass traffic until it is defined with a Global > > IP address. > > > > > > Thanks > > Simon > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
