×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

5525-X Management IP for ASA & IPS in Transparent Mode

Answered Question
Dec 18th, 2013
User Badges:

On the 5525-X asa model, the Management interface is shared betweeb IPS & ASA and both of them are out of band interfaces. Please refer the attached diagram.


So if I were to implement ASA with IPS in transparent mode,

I will have default IP Address for the ASA Management (Management0/0), 192.168.1.1
Default IP Address for the IPS Management (Management0/0), 192.168.1.2

and for transparent mode one Bvi IP address, same segment of bump in the wire.


In the above scenario, which IP addres will ASA and IPS use for sending logs and management?

For ASA is it both Bvi and (Management0/0), 192.168.1.1 ?

For IPS, do I need to have a management IP address from the same segment like bump in the wire? How can I set this on IPS?


Please advice.

Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
avilt Sun, 01/05/2014 - 10:45
User Badges:

I am still confused.


On 5525-X I will have default IP Address for the ASA Management (Management0/0), 192.168.1.1
Default IP Address for the IPS Management (Management0/0), 192.168.1.2. Now I able to manage both asa and ips thru these two IP addresses.


Now for transparent mode one Bvi IP address, same segment of bump in the wire let say 172.16.0.1 is assigned,


Now can I use Bvi for management of ASA?


In the above scenario, which IP addres will ASA and IPS use for sending logs?

For ASA is it both Bvi and (Management0/0), 192.168.1.1 ?

vishaw jasrotia Mon, 01/06/2014 - 00:37
User Badges:

Hello ,


For ASA 5525 IPS management , there are different type of senario... that all depend upon your  requirement.


Lets take some example ...


ASA runn in transparent mode.


1>Suppose u have a single subent anb u want ur firewall management and IPS management through the same IP pool.

In that case u have to make a connectivity in such a way that your external interface will be in one VLAN and internal + Management interface in other vlan.

Also in that cane there is no need to specify the nameif and IP on the management interface.


After that creat a BVI on the firewall and assign the IP from the pool and also assign the IP to the IPS from the same pool. 


Here your one senario is compleated and u save ur one subnet.


Note: If ur firewall is running in the transparent mode then creating BVI is mandatory (8.4 +) ,  as BVI interface IP address is taken as the source for the traffic orginating from the firewall.


2> You have two pool of IP segment . And want your IPS and Firewall management through differnet pools.

   pool one : 1.1.1.0/24 (Firewall management)

   pool two: 2.2.2.0/24 (IPS Management)


   In that Case your

   Firewall BVI interface IP -- 1.1.1.1

   Firewall Management Interfece IP -- 2.2.2.1

   IPS IP--- 2.2.2.2


Again in this case BVI interface IP is taken as the source for the traffic orginating from the firewall.


Hope this help you


Thanks



avilt Mon, 01/06/2014 - 05:43
User Badges:

I need to place the ASA-IPS in transparent mode between two switches (trunk links).

In this case what should be my BVI ip address?


ASA COnfig:

interface Management0/0

management-only

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface BVI1

ip address 172.17.10.77 255.255.252.0

-----------------------------

IPS config:

network-settings

host-ip 192.168.1.7/24,192.168.1.10

host-name 86IPS

telnet-option disabled

access-list 192.168.1.0/24

vishaw jasrotia Mon, 01/06/2014 - 20:06
User Badges:

If you want to place ASA-IPS in between two switch in that case you have to creat a SVI over L3 switch or virtual interafce (if using router as L3) for both the subnet.

avilt Tue, 01/07/2014 - 04:14
User Badges:

Please refer the attached network diagram. I have the virtual interfaces on the asa firewall and I have to place this IPS in between firewall and the L2 switch. Now I can put mgmt0/0 for asa and IPS under one segment (100 OR 200 OR 300) But what about the BVI address, it wont allow me to assign the IP from the same segment of mgmt0/0. Please advice.


     

avilt Tue, 01/07/2014 - 20:14
User Badges:

I have gone thru the doc in details and there is no example of mgmt settings for transparent mode.


My understanding is that I need to

a) remove nameif on mgmt0/0

b) assign IPS ip address, keep it in the BVI segment.

c) manage ASA thru BVI, no need to have mgmt0/0 IP for ASA.


Please correct me if I am wrong.




Correct Answer
Julio Carvajal Tue, 01/07/2014 - 20:59
User Badges:
  • Purple, 4500 points or more
avilt Wed, 01/08/2014 - 02:13
User Badges:

In this case all the communication from BVi to IPS is thru external cable right? They cannot communicate directly.

From ASA console I can not ping IPS ip address and vice versa with out the cable connected in between.

Actions

This Discussion