02-10-2019 02:44 AM - edited 03-05-2019 11:15 AM
Dear All,
Please,your candid advice and help required for resolve the scenario below.
We have ASA5516 with firepower. it was co-located in the public data center.
The data center provided us with 2 different subnets, 1 for WAN interface and another one to be used host behind router. The WAN is like 192.210.14.76/30 and Traffic subnet is like 192.210.14.144/29. The Subnet 192.210.14.76/30 has been configured on the WAN interface and service provider said the subnet is not configured to route traffic to internet. I know we can use one of the interface to connect the host behind router and use static route forward the traffic to the WAN interface. If the Second subnet is configured on one of the interface I don't know how to forward the incoming and outgoing traffic to Firepower module for inspection.
The challenge is how do we for both subnet on this ASA and have firepower inspect the traffic. Do I need to introduce another router?
Thanks in anticipation of your favorite reply
Regards
Timothy
02-10-2019 07:02 AM
02-12-2019 02:48 AM
I guess the provider has given you subnet 192.210.14.76/30 for communication between his network and your firewall.
So an ip-address in this subnet is necessary for your ASA outside interface.
this subnet itself has no access from/to internet, but is necessary to communicate to the provider network.
(access is THROUGH this network, but not FROM this network)
your provides sees this subnet 192.210.14.144/29 behind your ASA
and routes it to the ASA with address in 192.210.14.76/30 network
you use the 192.210.14.144/29 adresses as outside NAT adresses on your ASA.
your ASA needs to be "normally" configured for an inside, DMZ, etc.
your firepower module needs an ip-address for management access, read firepower configuraton guide
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide