topic IPS on ASA Subinterfaces in Network Security

IPS on ASA Subinterfaces

peni.nscg — Fri, 21 Feb 2020 14:46:56 GMT

Hi,

We are in the process of carrying out the following:

A. Move our VLAN Layer 3 Virtual Gateways from our core switch to our Internal ASA Firewall. We will create sub-interfaces on the "Inside" interface for each VLAN and use that sub-interface as the Gateway for each VLAN.

I have a question around this:

1. Will IPS/IDS engine on Firepower be able to carry out inspection on traffic hitting each gateway on the sub-interfaces of the "Inside" interface?

Appreciate your assistance and advice.

Thanks,

Peni.

Re: IPS on ASA Subinterfaces

Karsten Iwen — Mon, 20 Nov 2017 08:05:59 GMT

Actually, you are not configuring sub-interfaces on the "inside" interface, you are configuring them on a physical interface. Each sub-interface will become a firewall interface same as inside, outside and so on. With Modular Policy Framework (MPF) you control on which firewall-interface the traffic should get inspected by Firepower.

All in all, it will work what you want to do.

Re: IPS on ASA Subinterfaces

peni.nscg — Tue, 21 Nov 2017 22:37:11 GMT

Bula Karen,

Thanks for the confirmation as per my question.

In addition:

A. Will we need to trunk the link between our core switch and ASA internal interface (which will contain the sub-interfaces) and allow valid VLAN's over this trunk?

B. Since, routing between the VLAN's will now be handled and inspected by ASA, i am guessing i will need to enable EIGRP on ASA firewall to do this?

Thanks for the advice so far.

Peni.

Re: IPS on ASA Subinterfaces

Karsten Iwen — Tue, 21 Nov 2017 22:40:30 GMT

A: Yes

B: It depends. Very often, static routing is enough and a dynamic routing-protocol is not needed.