Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1959
Views
50
Helpful
7
Replies

Using Interface groups in an access policy?

Go to solution
Chess Norris
Level 4
Level 4

‎03-10-2022 04:34 AM

Hello,

I am doing a migration from a multi context ASA to a single context FTD. Both contexts in the ASA had a lot of sub interfaces and I want to make sure we don’t leak any traffic between the interfaces previously belonging to the two context.
Instead of manually add all interface zones in block rules, I wonder if I could use two interface groups and add the interfaces to those groups and then just do a block rule for traffic between those two interface groups?
I tried to add an interface group as an interface group, but when searching for that object in the ACP, I cannot find it either under Zones or Networks.

 

Thanks

/Chess

1 Accepted Solution

Accepted Solutions

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to Chess Norris

‎03-10-2022 04:57 AM - edited ‎03-10-2022 04:58 AM

Thanks for the information, then you need to do some ground work and change the design, most of the FTD are zone based.

 

You need to choose which path to go :

 

1. we did some migration with multi-instance with FTD 4K  (FTD 21XX not support here i guess)

 

https://community.cisco.com/t5/security-blogs/migrating-asa-multi-context-to-ftd-multi-instance/ba-p/3893465

 

2. if you looking to zone with single instance then you need make design accordingly, this required some testing.

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

7 Replies 7

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎03-10-2022 04:42 AM

how are you doing using FDM or FMC ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
Chess Norris
Level 4
Level 4
In response to balaji.bandi

‎03-10-2022 04:43 AM

I am using FMC and FTD 2130.

 

Thanks

/Chess

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to Chess Norris

‎03-10-2022 04:57 AM - edited ‎03-10-2022 04:58 AM

Thanks for the information, then you need to do some ground work and change the design, most of the FTD are zone based.

 

You need to choose which path to go :

 

1. we did some migration with multi-instance with FTD 4K  (FTD 21XX not support here i guess)

 

https://community.cisco.com/t5/security-blogs/migrating-asa-multi-context-to-ftd-multi-instance/ba-p/3893465

 

2. if you looking to zone with single instance then you need make design accordingly, this required some testing.

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Go to solution
Rob Ingram
VIP
VIP

‎03-10-2022 04:45 AM

@Chess Norris sounds like you need to use "Security Zones" - add the interfaces to the required zones and create the required ACP rules.

Go to solution
Chess Norris
Level 4
Level 4
In response to Rob Ingram

‎03-10-2022 04:52 AM - edited ‎03-10-2022 04:55 AM

The problem is that all interfaces allready belong to invidual zones (one zone per interface), so I can not create a new zone because an interface can only belong to one security zone. Thats why I thought I could use interface groups instead, but it seams like I cannot use interface groups in an access policy

Thanks

/Chess

Go to solution
Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Chess Norris

‎03-10-2022 05:06 AM

Correct - ACP is zone-based and cannot use Interface Groups. NAT rules can use IGs.

Go to solution
Chess Norris
Level 4
Level 4

‎03-10-2022 05:50 AM

Thanks everyone. I got all the information I need.

/Chess

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card