topic Re: Using Interface groups in an access policy? in Network Security https://community.cisco.com/t5/network-security/using-interface-groups-in-an-access-policy/m-p/4568043#M1088127 <P>Thanks everyone. I got all the information I need.</P><P>/Chess</P> Thu, 10 Mar 2022 13:50:36 GMT Chess Norris 2022-03-10T13:50:36Z Using Interface groups in an access policy? https://community.cisco.com/t5/network-security/using-interface-groups-in-an-access-policy/m-p/4567974#M1088109 <P>Hello,</P><P>I am doing a migration from a multi context ASA to a single context FTD. Both contexts in the ASA had a lot of sub interfaces and I want to make sure we don’t leak any traffic between the interfaces previously belonging to the two context.<BR />Instead of manually add all interface zones in block rules, I wonder if I could use two interface groups and add the interfaces to those groups and then just do a block rule for traffic between those two interface groups?<BR />I tried to add an interface group as an interface group, but when searching for that object in the ACP, I cannot find it either under Zones or Networks.</P><P>&nbsp;</P><P>Thanks</P><P>/Chess</P> Thu, 10 Mar 2022 12:34:54 GMT https://community.cisco.com/t5/network-security/using-interface-groups-in-an-access-policy/m-p/4567974#M1088109 Chess Norris 2022-03-10T12:34:54Z Re: Using Interface groups in an access policy? https://community.cisco.com/t5/network-security/using-interface-groups-in-an-access-policy/m-p/4567977#M1088110 <P>how are you doing using FDM or FMC ?</P> <P>&nbsp;</P> Thu, 10 Mar 2022 12:42:16 GMT https://community.cisco.com/t5/network-security/using-interface-groups-in-an-access-policy/m-p/4567977#M1088110 balaji.bandi 2022-03-10T12:42:16Z Re: Using Interface groups in an access policy? https://community.cisco.com/t5/network-security/using-interface-groups-in-an-access-policy/m-p/4567979#M1088111 <P>I am using FMC and FTD 2130.</P><P>&nbsp;</P><P>Thanks</P><P>/Chess</P> Thu, 10 Mar 2022 12:43:27 GMT https://community.cisco.com/t5/network-security/using-interface-groups-in-an-access-policy/m-p/4567979#M1088111 Chess Norris 2022-03-10T12:43:27Z Re: Using Interface groups in an access policy? https://community.cisco.com/t5/network-security/using-interface-groups-in-an-access-policy/m-p/4567982#M1088112 <P><a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/256705">@Chess Norris</a> sounds like you need to use "Security Zones" - add the interfaces to the required zones and create the required ACP rules.</P> Thu, 10 Mar 2022 12:45:01 GMT https://community.cisco.com/t5/network-security/using-interface-groups-in-an-access-policy/m-p/4567982#M1088112 Rob Ingram 2022-03-10T12:45:01Z Re: Using Interface groups in an access policy? https://community.cisco.com/t5/network-security/using-interface-groups-in-an-access-policy/m-p/4567986#M1088113 <P>The problem is that all interfaces allready belong to invidual zones (one zone per interface), so I can not create a new zone because an interface can only belong to one security zone. Thats why I thought I could use interface groups instead, but it seams like I cannot use interface groups in an access policy</P><P>Thanks</P><P>/Chess</P> Thu, 10 Mar 2022 12:55:58 GMT https://community.cisco.com/t5/network-security/using-interface-groups-in-an-access-policy/m-p/4567986#M1088113 Chess Norris 2022-03-10T12:55:58Z Re: Using Interface groups in an access policy? https://community.cisco.com/t5/network-security/using-interface-groups-in-an-access-policy/m-p/4567993#M1088114 <P>Thanks for the information, then you need to do some ground work and change the design, most of the FTD are zone based.</P> <P>&nbsp;</P> <P>You need to choose which path to go :</P> <P>&nbsp;</P> <P>1. we did some migration with multi-instance with FTD 4K&nbsp; (FTD 21XX not support here i guess)</P> <P>&nbsp;</P> <P><A href="https://community.cisco.com/t5/security-blogs/migrating-asa-multi-context-to-ftd-multi-instance/ba-p/3893465" target="_blank" rel="noopener">https://community.cisco.com/t5/security-blogs/migrating-asa-multi-context-to-ftd-multi-instance/ba-p/3893465</A></P> <P>&nbsp;</P> <P>2. if you looking to zone with single instance then you need make design accordingly, this required some testing.</P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 10 Mar 2022 12:58:45 GMT https://community.cisco.com/t5/network-security/using-interface-groups-in-an-access-policy/m-p/4567993#M1088114 balaji.bandi 2022-03-10T12:58:45Z Re: Using Interface groups in an access policy? https://community.cisco.com/t5/network-security/using-interface-groups-in-an-access-policy/m-p/4567999#M1088116 <P>Correct - ACP is zone-based and cannot use Interface Groups. NAT rules can use IGs.</P> Thu, 10 Mar 2022 13:06:31 GMT https://community.cisco.com/t5/network-security/using-interface-groups-in-an-access-policy/m-p/4567999#M1088116 Marvin Rhoads 2022-03-10T13:06:31Z Re: Using Interface groups in an access policy? https://community.cisco.com/t5/network-security/using-interface-groups-in-an-access-policy/m-p/4568043#M1088127 <P>Thanks everyone. I got all the information I need.</P><P>/Chess</P> Thu, 10 Mar 2022 13:50:36 GMT https://community.cisco.com/t5/network-security/using-interface-groups-in-an-access-policy/m-p/4568043#M1088127 Chess Norris 2022-03-10T13:50:36Z