Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
645
Views
5
Helpful
3
Replies

How do you mirror traffic from all sources to specific vlan to be scanned by an ASA

frencesco.micciche
Level 1
Level 1

‎07-19-2017 09:52 AM - edited ‎03-12-2019 06:27 AM

I'll try to make this as least complicated as possible.

Scenario: Mirror all traffic being sent to and from vlan x on a Nexus 5672 to an interface that is directly connected to an ASA 5525x.

Purpose: To filter and inspect traffic on the ASA FirePOWER and FireSight server for a specific vlan.

Steps performed: (keep in mind, connections are working and all traffic is able to talk to each other. I just need help solving the problem as to why no monitored traffic is being sent to the ASA)

1. Created a monitoring session

nexus:

monitor session 1

source vlan x,y,z

destination interface e1/1 (connection to firewall context)

no shut

Interface e1/1

switchport monitor

switchport access vlan x

interface vlan x

ip address 192.168.0.1 255.255.255.0

no shut

ASA:

firewall transparent

interface BVI x

ip address 192.168.0.1 255.255.255.0

!

interface g0/0

name if Monitor

bridge-group x

security-level 0

no shut

Any assistance will help, thank you.

Labels:
0 Helpful
3 Replies 3

Marvin Rhoads
Hall of Fame
Hall of Fame

‎07-19-2017 06:32 PM

The ASA configured in single context transparent mode? That's required.

Reference:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa98/configuration/firewall/asa-98-firewall-config/access-sfr.html#concept_FAFCD01AF00B429DB0C464FF372F816E

frencesco.micciche
Level 1
Level 1
In response to Marvin Rhoads

‎07-20-2017 06:23 AM

Marvin, 

Thank you for the quick response, and you were right. In the text it states "You must operate the ASA in single context and transparent modes to use this configuration".

In the environment I am working in, we need to monitor one specific network on a separate Context, Do you by any chance have any suggestions as to how to accomplish this?

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to frencesco.micciche

‎07-20-2017 07:12 AM

Is it a short term or ongoing requirement?

If it is short term you may be able to get a Cisco partner to setup a proof of value demo using a loaner ASA.

If it is long term and you need to continue to use the ASA with FirePOWER service module for other inline analysis and protection, then you need to deploy a separate sensor. Depending on your environment, you may be able to use something like an FTDv.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card