I currently do not use the management interface i access the ADSM from the LAN on the 192.168.35.0subnet. Does this mean i have to have a managment interface? will i have to plug this into my LAN Switch? I'm aware the Management interface IP cannot be on the same subnet as my LAN as it bring up an error over overlapping subnets?

Sorry for the stupid questions.

Thanks

It's no problem mate :)

There are slight differences between some of the newer model ASA's (x series) that mean you can only use the management interface as your gateway.

If you'r not able to ping your gateway (inside interface) from your IPS when using that as your gateway then you'll have to configure your management interface and use this as your default gateway instead.

Let me know if you need any further info.

Here in my interface config on the ASA

interface GigabitEthernet0/0
 nameif outside
 security-level 0
 pppoe client vpdn group WRG
 ip address pppoe setroute
!
interface GigabitEthernet0/1
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/1.999
 vlan 999
 nameif inside
 security-level 100
 ip address 192.168.25.254 255.255.255.0

I'm unable to ping 192.168.35.254 from within the IPS. please see ips basic config

 Version 7.1(4)
! Host:
!     Realm Keys          key1.0
! Signature Definition:
!     Signature Update    S615.0   2012-01-03
! ------------------------------
service interface
exit
! ------------------------------
service authentication
exit
! ------------------------------
service event-action-rules rules0
exit
! ------------------------------
service host
network-settings
host-ip 192.168.25.250/24,192.168.25.254
host-name test
telnet-option disabled
access-list 0.0.0.0/0
access-list 192.168.25.0/24
dns-primary-server enabled
address 8.8.8.8
exit
dns-secondary-server enabled
address 4.4.4.4

Does that mean i need to setup my management interface with an actual ip? then will i need to plug that into my local lan switch? All traffic in the lan is pointed for 192.168.35.254 to route out to the internet i'm just unsre to how this management interface works?

Hope it makes sense

Thanks

 

sorry that should have said unable to ping 192.168.25.254****

Yeah, it looks as though you'll need to use your management interface (on the same subnet) and keep it connected. Here is my config for the same arrangement:

IPS:
service host
network-settings
host-ip 10.201.29.10/29,10.201.29.9
host-name ssc-wlan-fw-ips-1
telnet-option disabled
access-list 0.0.0.0/0

ASA:
interface Management0/0
 description Management interface for IPS module
 nameif management
 security-level 100
 ip address 10.201.29.9 255.255.255.248
 management-only

Keep posting if you need further help :)

ok think i understand however traffic from my lan traffic goes out through the lan interface of 192.168.35.254 would i now have to point the LAN traffic to the Management interface or would is still go via the 'inside' interface?

How does the traffic route via ips from the internet??

INTERNET>OUTSIDE INTERFACE>MANAGEMENT>INSIDE>LAN??

so i will have the following setup

interface GigabitEthernet0/0
 nameif outside
 security-level 0
 pppoe client vpdn group WRG
 ip address pppoe setroute
!
interface GigabitEthernet0/1
 no nameif
 no security-level
 no ip address
!
interface GigabitEthernet0/1.999
 vlan 999
 nameif inside
 security-level 100
 ip address 192.168.25.254 255.255.255.0

Interface management0/0

ip address 192.168.35.254 255.255.255.0

IPS IP will be 192.168.35.254 255.255.255.0

Thanks again. Great help so far :)

I will check it out sometime next tomorrow/next week

If i have any problems i will let you know.

Thanks for taking time out to help me much appreciated

sorry 1 more thing i forgot to ask. As my management interface 192.168.35.254  will be on a different subnet to my lan, when i plug it into my LAN switch which is on the 192.168.25.0 network how will it communcate with my LAN? Do i need to plug it into my LAN switch?

Thanks