what subnet (ip) to assign asa managment interface

rnbhatija · ‎05-28-2015

We recnetly got a new ASA 5515 device with source fire, so we need to put in a managment interface. the consultant gave the managment interface 192.168.1.x ip, (same subnet as sourcefire),

this created an issue, as asa started dropping packets from VPN /DMZ going to Server Subnet , thinking 192.168.1.x subnet was at managment (no traffic is passed thru managment interface.)

i had to disable the managment interface to get vpn/dmz to start passing traffic to server subnet. SO now i am wondering what ip address to assign managment interface and what subnet to put sourcefire on,

if i put it on 10.1.10.x (as RSA appliances/fortinet/ and cisco internal interface are on this subnet , asa will start again dropping packets thinking its connected to managment side.

server subnet 192.168.1.x

pc subnet 10.1.14.x

outside is 209.x.x.x.

asa internal inter face is 10.1.10.x

Vibhor Amrodia · ‎05-30-2015

Hi,

You have to use any unused subnet on this interface. This subnet is never advertised externally and hence you can use any IP range which is not matching your existing subnet range.

Also refer to this information:-

http://www.cisco.com/c/en/us/support/docs/security/ips-sensor-software-version-71/113690-ips-config-mod-00.html

Thanks and Regards,

Vibhor Amrodia

rnbhatija · ‎08-19-2015

i will have to create new subnet for this?

but how will i get packets from this subnet to go to internal (do i need to create a route?),, specifically to sourcefire VM subnet, so that management interface can talk to sourcefire firesight that is on sever subnet 192.