cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3796
Views
5
Helpful
12
Replies

5525-X Management IP for ASA & IPS in Transparent Mode

avilt
Level 3
Level 3

On the 5525-X asa model, the Management interface is shared betweeb IPS & ASA and both of them are out of band interfaces. Please refer the attached diagram.

So if I were to implement ASA with IPS in transparent mode,

I will have default IP Address for the ASA Management (Management0/0), 192.168.1.1
Default IP Address for the IPS Management (Management0/0), 192.168.1.2

and for transparent mode one Bvi IP address, same segment of bump in the wire.

In the above scenario, which IP addres will ASA and IPS use for sending logs and management?

For ASA is it both Bvi and (Management0/0), 192.168.1.1 ?

For IPS, do I need to have a management IP address from the same segment like bump in the wire? How can I set this on IPS?

Please advice.

1 Accepted Solution

Accepted Solutions

a) remove nameif on mgmt0/0

b) assign IPS ip address, keep it in the BVI segment.

c) manage ASA thru BVI, no need to have mgmt0/0 IP for ASA.

See. You got it man Great work, some kudos to you.

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

12 Replies 12

avilt
Level 3
Level 3

Appreciate some replies.

Hello Avilt,

Remember that you can have more than one BVI interface on the ASA, That's why they were implemented on the ASA.

For the other questions:

Here you go

http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_tech_note09186a0080bd5d03.shtml

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

I am still confused.

On 5525-X I will have default IP Address for the ASA Management (Management0/0), 192.168.1.1
Default IP Address for the IPS Management (Management0/0), 192.168.1.2. Now I able to manage both asa and ips thru these two IP addresses.

Now for transparent mode one Bvi IP address, same segment of bump in the wire let say 172.16.0.1 is assigned,

Now can I use Bvi for management of ASA?

In the above scenario, which IP addres will ASA and IPS use for sending logs?

For ASA is it both Bvi and (Management0/0), 192.168.1.1 ?

Hello,

Now can I use Bvi for management of ASA?

Yes you still can use it

For IPS-ASA communication the OOB interface will be used (management)

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

vishaw jasrotia
Level 1
Level 1

Hello ,

For ASA 5525 IPS management , there are different type of senario... that all depend upon your  requirement.

Lets take some example ...

ASA runn in transparent mode.

1>Suppose u have a single subent anb u want ur firewall management and IPS management through the same IP pool.

In that case u have to make a connectivity in such a way that your external interface will be in one VLAN and internal + Management interface in other vlan.

Also in that cane there is no need to specify the nameif and IP on the management interface.

After that creat a BVI on the firewall and assign the IP from the pool and also assign the IP to the IPS from the same pool. 

Here your one senario is compleated and u save ur one subnet.

Note: If ur firewall is running in the transparent mode then creating BVI is mandatory (8.4 +) ,  as BVI interface IP address is taken as the source for the traffic orginating from the firewall.

2> You have two pool of IP segment . And want your IPS and Firewall management through differnet pools.

   pool one : 1.1.1.0/24 (Firewall management)

   pool two: 2.2.2.0/24 (IPS Management)

   In that Case your

   Firewall BVI interface IP -- 1.1.1.1

   Firewall Management Interfece IP -- 2.2.2.1

   IPS IP--- 2.2.2.2

Again in this case BVI interface IP is taken as the source for the traffic orginating from the firewall.

Hope this help you

Thanks


I need to place the ASA-IPS in transparent mode between two switches (trunk links).

In this case what should be my BVI ip address?

ASA COnfig:

interface Management0/0

management-only

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface BVI1

ip address 172.17.10.77 255.255.252.0

-----------------------------

IPS config:

network-settings

host-ip 192.168.1.7/24,192.168.1.10

host-name 86IPS

telnet-option disabled

access-list 192.168.1.0/24

If you want to place ASA-IPS in between two switch in that case you have to creat a SVI over L3 switch or virtual interafce (if using router as L3) for both the subnet.

Please refer the attached network diagram. I have the virtual interfaces on the asa firewall and I have to place this IPS in between firewall and the L2 switch. Now I can put mgmt0/0 for asa and IPS under one segment (100 OR 200 OR 300) But what about the BVI address, it wont allow me to assign the IP from the same segment of mgmt0/0. Please advice.

     

Everything is on the link I sent you bud...

Read it and then you will know...

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

I have gone thru the doc in details and there is no example of mgmt settings for transparent mode.

My understanding is that I need to

a) remove nameif on mgmt0/0

b) assign IPS ip address, keep it in the BVI segment.

c) manage ASA thru BVI, no need to have mgmt0/0 IP for ASA.

Please correct me if I am wrong.

a) remove nameif on mgmt0/0

b) assign IPS ip address, keep it in the BVI segment.

c) manage ASA thru BVI, no need to have mgmt0/0 IP for ASA.

See. You got it man Great work, some kudos to you.

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

In this case all the communication from BVi to IPS is thru external cable right? They cannot communicate directly.

From ASA console I can not ping IPS ip address and vice versa with out the cable connected in between.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: