Solved: Can FirePower management interface & ASA-Inside interface be on seperate subnet?

TCAM · ‎04-29-2015

Hi -

Need some clarifications, please.

I have a requirment needed to put FirePower management interface and ASA-Inside interface on a different subnets, does it support?

From what i read so far, most of document suggests to put both interfaces on the same subnet, is there a reason to do that?

I may be wrong but i think FirePower uses management interface to communicate with FireSight for control and comamnd traffic only, the actual data plane traffic is still flowing from ASA-Outside to Inside and vice versa, so as long as there is an ip connectivity between FireSight and FirePower, it should be ok, right? or am i totally wrong, they have to be on the same subnet?

ASA5515-x with FirePower 5.3.1

Thanks in advance for your help.

Marvin Rhoads · ‎04-29-2015

Separate subnets are fine.

Like you've correctly observed - the FirePOWER module only needs to communicate (IP-wise) with FireSIGHT Management Center.

That path is completely independent of the data plane path through the ASA. The ASA redirects traffic via the service-policy to the FirePOWER module completely internally to the appliance.

View solution in original post

Marvin Rhoads · ‎04-29-2015

Separate subnets are fine.

Like you've correctly observed - the FirePOWER module only needs to communicate (IP-wise) with FireSIGHT Management Center.

That path is completely independent of the data plane path through the ASA. The ASA redirects traffic via the service-policy to the FirePOWER module completely internally to the appliance.

TCAM · ‎05-01-2015

Thanks Marvin for taking time to review it.

I tested the setup in lab, yes, it is completely independent and working fine.