Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA 5510 with AIP-SSM

Ideally I would like to place an ASA 5510 in line between three devices on the same subnet and have the traffic between them inspected.

For example the network 10.10.10.x

Eth0/0 would have input coming from 10.10.10.1

Eth0/1 would have input coming from 10.10.10.20

Eth 0/2 would have input coming from 10.10.10.30

Leaving the management port with 10.10.10.10

Currently I have the ASA setup as a Transparent Firewall based on the following example:http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008089f467.shtml From this it only looks like two connections on the same subnet are allowed, but I am new to this so I am not quite sure.

With the Transparent Firewall configuration I am also experiencing difficulty accessing the ASDM application.

Any help would be greatly appreciated.

7 REPLIES

Re: ASA 5510 with AIP-SSM

Hi,

You're right in your assumption - in transparent mode only two connections are possible.

Regarding the ASDM app, you might need to configure some routing on the ASA, but it's not clear exactly what the problem is. Does it work slowly, sometimes or not at all?

HTH

Andrew.

Community Member

Re: ASA 5510 with AIP-SSM

Thank you for your response.

If I switched to routed mode, is there a way to achieve what I mentioned in my original post? From what I have read it seems like transparent mode would be my best choice, unfortunately I need to utilize three ports so this is not an option.

I thought about setting an IP address on the ASA Ethernet Ports 0/0-0/2 each having its own /30 subnet mask but this seems like a waste of addresses.

I resolved the ASDM problem, I had an error in the ACL controlling ip traffic.

Re: ASA 5510 with AIP-SSM

Hi,

Routed mode won't help if the devices are in the same subnet. However, if the devices can all be made to have different subnets then it could work as you'd have a normal firewall scenario inspecting traffic between 3 networks.

HTH

Andrew.

Community Member

Re: ASA 5510 with AIP-SSM

HI,

I have a solution, which may help. In transparent mode,connect two hosts to a switch , then connect the switch to the firewall, and connect the third host to the other interface of the forewall. in your case only transparent mode can be used.

with regards

Re: ASA 5510 with AIP-SSM

Hi,

This isn't a solution because it doesn't satisfy the requirement of inspecting traffic between three hosts. The two hosts connected to the switch will not have their traffic inspected...

Andrew.

Community Member

Re: ASA 5510 with AIP-SSM

Hi,

Correct, adding a switch is not a possibility.

I'm investigating the possiblility of moving two of the connections to a different subnet, it looks like this is my only option.

Thanks.

Re: ASA 5510 with AIP-SSM

Hi,

What about host-based security? Something like CSA might be an option?

HTH

Andrew.

244
Views
0
Helpful
7
Replies
CreatePlease to create content