cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
547
Views
10
Helpful
3
Replies

FIPS enable ASA 5515 - Port-Channel Break

aamsq11
Level 1
Level 1

Current Setup: ASA 5515 - Active/Standby pair

 

Situation: Need to make currently running ASA 5515 FIPS complaint - cisco support said at least one port needs to be single port by itself before "fips enable" is implemented and not in port-channel. 

 

We are thinking to break port channel interface that has outside and management sub-interfaces to it and assign these two sub-interfaces to single gig  interface. 

 

Question: would we lose any config related to outside and management interface? 

Question: what is the best way to approach this re-config of the ASA? Example: break port channel or remove the single interface from port channel and configure that? 

Question: do you have any experience with FIPS upgrade on currently working devices? 

 

3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

Anytime you need to reassign an interface you have to use "no nameif ___". that command will remove any associated ACLs and NAT commands that reference that nameif. As long as you know that in advance and take it into account you should be fine.

 

I've not done a FIPS conversion but I know there are several other requirements for compliance - the hardware anti-tamper kit as well as some operational procedures - that are required for full compliance.

Thanks for the response Marvin. Since running the command "no nameif" will remove configuration then:

can we have a port-channel with only single interface being part of it? or will the port-channel break once we remove one interface out of the two it currently has?

 

Also, will the "no nameif" command remove any configs related to the interface like (VPN tunnels, digital certs, etc...) or just ACL and NATs?

You can have a portchannel with a single member.

 

When you "no nameif" an interface, the lines anywhere the nameif appears in the rest of the configuration will be removed. I mentioned the most common ones but the ones you mentioned and a few others would also be affected.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: