I have ASA 5506x (not running firepower) and have everything configured properly, wanted to get familiar with the management VLAN.
My topology is below-
LAN---->L2 Switch—>ASA—>ISP
I have a few vlans and there is intervlan routing happening and all vlans can access the internet, All VLANs can also ping each other, i would like to setup a Management VLAN to access the switch and the ASA, I’ve setup the vlan on the switch and also as a sub-interface vlan on the ASA.
I’m able to ping all vlans on the SVI but can’t ssh into anything other than the VLAN port that my pc is assigned to and also can’t ping any subinterfaces on the ASA other than the one’s i’m assigned to.
I would like to have one VLAN for management purposes only, any help would be appreciated.
Creating a management VLAN simply means that you are creating one more VLAN on your topology. There’s nothing special about a management VLAN, so you simply configure it the same way as the rest of the VLANs. You simply designate the particular interfaces (SVI on the switch and subinterface on the ASA) through which you will access their CLIs. You can also block any SSH or Telnet access on other SVIs and subinterfaces for security.
Now in order to actually use it as a management VLAN, you must create an interface on each device that will through which you will access the CLI. For the L2 switch, that would be an SVI on the management VLAN itself. For the ASA, that would be the subinterface that corresponds to the management VLAN. Additionally, you will have to also place the PC from which you want to access the management VLAN on the same VLAN as well, so you would create an access port on the switch assigned to the management VLAN from which that PC can be connected.
Now by the sound of it, it seems that you’ve done this already. However, I’m not clear as to where your problem is. You say:
Make sure the PC you are connecting from is on the management VLAN. If you can’t reach other subinterfaces then there may be some problem with routing or access lists or security levels on the ASA. In any case, if your PC is on the management VLAN you don’t need to have access to the other subineterfaces.
Although I’m not completely clear as to what you want to achieve in the end, I hope this has been helpful…
Hi Laz,
Thanks for looking into, so i understand what you’re saying and it makes total sense. Is it possible for me to ping other sub-interfaces from the interface that i’m connected to, because right now i can only ping the sub-interface of the subnet that i’m connected to and that makes sense but i would like to ping all the sub-interfaces.
If you have configured the ASA with subinterfaces on the interface connected to the switch, then of course, as you have confirmed, you should be able to ping the IP of the subinterface on the same VLAN as the device you are pinging from.
Now for traffic to be routed from one interface to another on an ASA (whether physical interfaces or subinterfaces), it takes into account the security level of these interfaces. I am assuming that each subinterface has the same security level. If that is the case, the default behavior of an ASA is to disallow traffic between such interfaces unless an ACL is present that allows it.
The problem may be there, but it also may be due to a default feature of the ASA that is configured not to respond to ICMP packets. In order to determine the specific problem, take a look at this post, as it will help you to troubleshoot the issue, and identify the problem. Once you identify it you can then examine ways to resolve it.