ASA IPS issue: routing and management interface

Question

We have management network (192.168.25.0/24) where we have management ip of ASA 5525-X IPS Bundle (.250) and IPS (.37). The IPS has a default gateway of our Layer 3 (.1) switch that is behind the ASA (according to Cisco's docs).

To pass traffic back to the IPS, I created a route for 192.168.25.0/24 that points to the L3 switch.

When I type #sh route on the ASA:

C    192.168.30.0 255.255.255.0 is directly connected, inside
C    192.168.25.0 255.255.255.0 is directly connected, management
C    192.168.35.0 255.255.255.0 is directly connected, outside
S*   0.0.0.0 0.0.0.0 [1/0] via 192.168.35.1, outside

at the same time #sh running-config route:

route outside 0.0.0.0 0.0.0.0 192.168.35.1 1
route inside 192.168.25.0 255.255.255.0 192.168.30.2 1

So, in the routing table I have information that subnet is directly connected and is it management interface traffic will not pass to IPS. But the IPS can access Internet and traffic goes through L3 switch (I checked counter).

Can someone explain how routing for the IPS function should work?

Answer 1

Unfortunately the mgmt0/0 interface on an ASA is often misused. It should only be used for management of the admin/system context of an ASA in multi-context mode, or for a dedicated management subnet that uses the ASA as its default gateway.

What you need to do is remove the IP address from the mgmt0/0 interface on the ASA itself (NOT THE IPS!!) and everything should work as expected as long as the management subnet is routed out the correct interface on the ASA.

What is happening with the ASA having an interface into the management subnet (192.168.25.0/24 in this case) is all packets from that subnet that use an internal gateway (L3 switch) and then try and forward packets through the inside interface are failing the reverse-path-forwarding (RPF) check and being dropped as spoofed traffic.

The actual traffic flow that you are seeing is IPS>L3 Switch>ASA>Bit Bucket(RPF Failure), until you re-address the IPS, disable RPF checking (not advised) or remove the IP from the ASA's management0/0 interface you will continue to see this behavior.

Answer 2

I've run into this problem before and there's a couple things happening in this scenario.

First, The Management interface does not play by the same rules as other interfaces on the FW. By default it will not pass or receive traffic from any other interface on the device due to the "Management-Only" setting.

Second, the way that Cisco implements the Management interface causes a routing loop with the ASA. You would like to route all traffic to the management network through the L3 switch on the Inside, but the ASA sees the Management network as directly connected via the Management interface

You would like the traffic to take the following path:

IPS > L3 Switch > ASA Inside > Internet > ASA Outside > L3 Switch > IPS

Unfortunately, the path it is actually taking looks like this:

IPS > L3 Switch > ASA Inside > Internet > ASA Outside > Bit Bucket

Any packet sent from the IPS to the internet is returned to the ASA Outside interface, at which point the routing table is checked and it sees that the management network is directly connected via the Management interface. Since the Management interface will not receive traffic from another interface by default, the bits hit the floor.

Unfortunately, the best way to resolve this issue is to abandon using the Management interface to manage the firewall and instead use the Inside interface. If you remove the IP address of the Management interface (but still keep the port enabled for the IPS module), that will remove the Management network from the ASA routing table. This will allow the traffic to take the correct path back to the L3 switch on the Inside when it returns from the Internet.

I hope this helps