Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1702
Views
0
Helpful
1
Replies

SourceFire design and physical connectivity verification

J_Vansen_S
Level 7
Level 7

‎06-26-2015 01:59 AM - edited ‎03-12-2019 05:42 AM

Hi All,

I am in the process of coming up with a security design based on ASA clusters with sourcefire in HQ and ASA with sourcefire in remote sites.

 

Attached is my draft diagram.

I understand that there are ports difference on 5585X and the 5555x/5515x

 

HQ - 5585x (ASA and SFR on diff module)

  1. Are my physical connections to the MGMT LAN correct from the ASA and SOURCEFIRE modules? Meaning which both my Tier 1 and Tier 2 fw mgmt IPs are group into a MGMT subnet in the core and routed to the internet via T2 inside interface.

 

Remote Site - 5555x and 5515x (ASA & SFR uses same MGT port)

  1. Sites does not have a L3 switch, only L2 . Is it the correct way to connect M0/0 to a switch and back to the ASA as its gateway? Does not seem correct as m0/0 and ASA routed port cannot be on the same subnet.

 

Firesight Management Center

  1. All sourcefire in HQ and Remote sites needs to be connected back to it. Will my remote sites SRF have an issue connecting back to FMC in HQ based on my layout & design?

ASDM management

  1. How do i access ASDM of my remote sites ASA from HQ given that SFR is utilizing the m0/0 port

 

Ive read thru the 9.3 ASA SourceFire Module doc, all of which are quite vague and conceptual. Im having difficulty applying the context to my actual design.

 

Appreciate any advise

Labels:
Preview file
70 KB
0 Helpful
1 Reply 1

Marvin Rhoads
Hall of Fame
Hall of Fame

‎06-26-2015 10:13 AM

HQ - 5585x (ASA and SFR on diff module)

  1. Yes.

Remote Site - 5555x and 5515x (ASA & SFR uses same MGT port)

  1. The SFR module uses the same physical M0/0 on the ASA but has its own routing process independent of the base ASA. You can forgo using the M0/0 for the base ASA and use it exclusively for SFR management. In that use case, you can put it on the same VLAN and subnet as the ASA insdie interface and even use that ASA interface as the default gateway for the ASA.

Firesight Management Center

  1. No problem if you use the scheme I mentioned above for the remote sites.

ASDM management

  1. Allow management via the remote sites' ASA inside interface as opposed to the m0/0 interface.
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card