After numerous conversations with Cisco Account team and Cisco AS that configuring multiple ASAs to go through a single IPEP was not an issue and would not require reconfiguration rebuilding of the addressing on the units.
It appears from the example I have seen for a single ASA that it is expecting the inside interface to be in the same subnet as the untrusted interface of the IPEP. This is where out problem comes in, the two VPNs have different inside interface subnets.
We were original told/lead to believe that the IPEP could have multiple untrusted interfaces(sub-interfaces) by Cisco AS, this was not tested in the original pilot.
This is not a show stopper, I am just wondering if anyone had faced this and what their recommendations were.
I can see the scenario you are describing working. As long as the ASA inside interfaces and the untrusted interface of the IPEP are on the same subnet/vlan.
The main show stopper for the multiple ASA to one IPEP is the MAC addressing. As the nature of data traversal, the last interface the data goes through stirps the previous MAC from the packet and replaces it with its own MAC. The MAC of the ASA is what the IPEP filters on, so if the data has to traverse ANY other interface the IPEP would not see the correct MAC.
We were hoping to do the same with an ASA in the US, and an ASA in the UK, because the sites are linked via VNP tunnel. But came to the realization that the different hops between would be impossible for the IPEP to work.
QuestionHello , somebody know if it´s possible to remove the device registration status from the MyDevices portal for the spanish page?By default the status is dispalyed (registered/Pending), this condition was fixed in the english page after load a...
Dears, Please note that I have ASA 5515 running version 9.4.(4)20 and managed through FDM. In addition, I have FMC version 22.214.171.124 for the IPS. I need to upgrade the only the ASA to the latest supported version that work with the FMC version 6.0...
To participate in this event, please use the button to ask your questions
This topic is a chance to clarify your questions about Cisco Threat Response, from its components and new features to ...
Community Live Slides- How to optimize your Cisco Security investments with Threat Response
(Live event - formerly known as Webcast- Tuesday February 18, 2020 at 10 am Pacific/ 1 pm Eastern / 7 pm Paris)
This event had place on Tuesday 18th, Februa...
Two main issues I am facing as part of ISE guest access POC lab.On any device on first attempt connections works smooth. However, if I disconnect and reconnect the SSID, its repeatedly giving "Couldn't get an IP address" or "No internet connection" on con...