An IP address for the dedicated management interface is not required. The system IP address you configure is basically the equivalent of the IP address you would put on a switch. The only difference is that the ASA as a platform has a dedicated interface that can be used just for management....so you have that option
Many people like to use the dedicated management interface if they have an isolated secure management network for their equipment. I guess the short answer is - You don't have to configure both, the management interface dedicated is an option - Requiring the system IP address leaves it open so that people do not have to configure a dedicated management interface to manage the device, but can if they choose Hope that helps On Wed, Mar 28, 2012 at 9:42 AM, Ben Shaw <[email protected]> wrote: > Can anyone give me more information on why an ASA in transparent mode > uses two IP addresses (global and management) when a layer 2 switch gets by > with only for its management tasks? Is the second IP address required for > some additional functionality for the ASA? I mean an ASA in Routed mode > does not need more IP addresses than a router for it's management so why > does a transparent firewall need more IP addresses than a switch? > > ------------------------------ > From: [email protected] > To: [email protected] > CC: [email protected] > Subject: RE: [OSL | CCIE_Security] ASA Transparent FW - System vs > Management IP > Date: Mon, 26 Mar 2012 07:44:54 +0000 > > > Thanks Marta, > > the design just seems a bit bizarre to me. I had an understanding of what > the System IP was for but wondering why it needed to be done like that. > > I mean, the System IP address can effectively place an IP address on the > same layer 2 broadcast domain as those networks being bridge making the ASA > reachable via hosts either side of the transparent firewall. I don't know > why one would need let alone want this to the case, especially considering > the fact the ASA has another IP address for the management interface which > should be on a seperate OOB management network. > > Why wouldn't the firewall just use the management interface/IP address > that can then be connected to a dedicated management network for use as the > source for AAA, syslog etc. I suppose I am comparing the operating of a > Layer 2 switch which bridges layer 2 networks but has one Layer 3 ip > address for its management interface. There is no need for an second layer > 3 address on a layer 2 switch for management purposes, the single layer 3 > address is sufficient for all management requires such as SSH, AAA, Syslog, > SNMP etc. > > When compared in this way to a layer 2 switch, I just don't see why the > ASA needs two IP addresses for management when in transparent mode when it > can all be done with one from what I can see. > > Any thoughts on this? > > Thanks > > ------------------------------ > Date: Mon, 26 Mar 2012 09:22:11 +0200 > Subject: Re: [OSL | CCIE_Security] ASA Transparent FW - System vs > Management IP > From: [email protected] > To: [email protected] > CC: [email protected] > > Having System IP address is a *must* for transparent FW configuration on > Cisco ASA. Additionally, you *can* configure Management interface as a > dedicated management interface, but to my knowledge Cisco ASA will not use > it's address instead of System IP address. The security appliance uses > System IP address as the source address for packets that originate on the > security appliance, such as system messages or AAA communications. > Management interface will be a management-only interface. > > Marta Sokolowska. > > 2012/3/26 Ben Shaw <[email protected]> > > Hi All > > can someone explain to me the difference between the System IP and > Management IP address when configuring an ASA as a transparent firewall? > > I can't see why the firewall would need a System IP address configured > with the global command below > > TRANFW(config)# ip address* global_ip_add subnet_mask* > > when the firewall already has a Management IP address configured with the > command below > > TRANFW(config)# interface Management0/0 > TRANFW(config-if)# nameif MGMT > TRANFW(config-if)# security-level 100 > TRANFW(config-if)# ip address *mgmt_ip_add subnet_mask* > > The management IP defined on Management0/0 allows me to SSH to the device > via the management network so why is there a need for a global ip address > which when configured is applied to both interfaces paired for transparent > firewalling as shown below > > TRANFW(config)# sh int ip brief > Interface IP-Address OK? Method Status > Protocol > Ethernet0/0 *global_ip_add* YES unset up > up > Ethernet0/1 *global_ip_add* YES unset up > up > Ethernet0/2 unassigned YES unset administratively down up > Ethernet0/3 unassigned YES unset administratively down up > Management0/0 *mgmt_ip_add* YES manual up > up > > Any information on why both these are required would be appreciated as the > firewall will not pass traffic until it is defined with a Global IP address. > > Thanks > Simon > > > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com > -- Regards, Joe Astorino CCIE #24347 http://astorinonetworks.com "He not busy being born is busy dying" - Dylan
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
