cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1371
Views
0
Helpful
3
Replies

IPS on ASA Subinterfaces

peni.nscg
Level 1
Level 1

Hi,

 

We are in the process of carrying out the following:

 

A. Move our VLAN Layer 3 Virtual Gateways from our core switch to our Internal ASA Firewall. We will create sub-interfaces on the "Inside" interface for each VLAN and use that sub-interface as the Gateway for each VLAN. 

 

I have a question around this:

 

1. Will IPS/IDS engine on Firepower be able to carry out inspection on traffic hitting each gateway on the sub-interfaces of the "Inside" interface?

 

 

Appreciate your assistance and advice.

 

Thanks,

Peni. 

 

2 Accepted Solutions

Accepted Solutions

Actually, you are not configuring sub-interfaces on the "inside" interface, you are configuring them on a physical interface. Each sub-interface will become a firewall interface same as inside, outside and so on. With Modular Policy Framework (MPF) you control on which firewall-interface the traffic should get inspected by Firepower.

All in all, it will work what you want to do.

View solution in original post

A: Yes

B: It depends. Very often, static routing is enough and a dynamic routing-protocol is not needed.

View solution in original post

3 Replies 3

Actually, you are not configuring sub-interfaces on the "inside" interface, you are configuring them on a physical interface. Each sub-interface will become a firewall interface same as inside, outside and so on. With Modular Policy Framework (MPF) you control on which firewall-interface the traffic should get inspected by Firepower.

All in all, it will work what you want to do.

Bula Karen,

 

Thanks for the confirmation as per my question. 

 

In addition:

 

A. Will we need to trunk the link between our core switch and ASA internal interface (which will contain the sub-interfaces) and allow valid VLAN's over this trunk?

 

B. Since, routing between the VLAN's will now be handled and inspected by ASA, i am guessing i will need to enable EIGRP on ASA firewall to do this?

 

Thanks for the advice so far. 

 

Peni. 

A: Yes

B: It depends. Very often, static routing is enough and a dynamic routing-protocol is not needed.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: