topic Separate subnets are fine in Network Security

Can FirePower management interface & ASA-Inside interface be on seperate subnet?

TCAM — Tue, 12 Mar 2019 12:40:22 GMT

Hi -

Need some clarifications, please.

I have a requirment needed to put FirePower management interface and ASA-Inside interface on a different subnets, does it support?

From what i read so far, most of document suggests to put both interfaces on the same subnet, is there a reason to do that?

I may be wrong but i think FirePower uses management interface to communicate with FireSight for control and comamnd traffic only, the actual data plane traffic is still flowing from ASA-Outside to Inside and vice versa, so as long as there is an ip connectivity between FireSight and FirePower, it should be ok, right? or am i totally wrong, they have to be on the same subnet?

ASA5515-x with FirePower 5.3.1

Thanks in advance for your help.

Separate subnets are fine

Marvin Rhoads — Thu, 30 Apr 2015 03:12:01 GMT

Separate subnets are fine.

Like you've correctly observed - the FirePOWER module only needs to communicate (IP-wise) with FireSIGHT Management Center.

That path is completely independent of the data plane path through the ASA. The ASA redirects traffic via the service-policy to the FirePOWER module completely internally to the appliance.

Thanks Marvin for taking time

TCAM — Fri, 01 May 2015 16:10:10 GMT

Thanks Marvin for taking time to review it.

I tested the setup in lab, yes, it is completely independent and working fine.