Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1360
Views
0
Helpful
2
Replies

How to configure two different subnet for WAN and Traffics on ASA 5516 with firepower

oladapo20
Level 1
Level 1

‎02-10-2019 02:44 AM - edited ‎03-05-2019 11:15 AM

Dear All,

 

Please,your candid advice and help required for resolve the scenario below.

 

We have ASA5516 with firepower. it was co-located in the public data center. 

The data center provided us with 2 different subnets, 1 for WAN interface and another one to be used host behind router. The WAN is like 192.210.14.76/30 and Traffic subnet is like 192.210.14.144/29. The Subnet 192.210.14.76/30 has been configured on the WAN interface and service provider said the subnet is not configured to route traffic to internet. I know we can use one of the interface to connect the host behind router and use static route forward the traffic to the WAN interface. If the Second subnet is configured on one of the  interface I don't know how to forward the incoming and outgoing traffic to Firepower module for inspection. 

The challenge is how do we for both subnet on this ASA and have firepower inspect the traffic. Do I need to introduce another router?

 

Thanks in anticipation of your favorite reply

 

Regards

Timothy 

Labels:
0 Helpful
2 Replies 2

Jaderson Pessoa
VIP Alumni
VIP Alumni

‎02-10-2019 07:02 AM

Dear oladapo,
try to user a RSPAN, check link below for more information.

https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst2960/software/release/12-2_40_se/configuration/guide/scg/swspan.pdf
Jaderson Pessoa
*** Rate All Helpful Responses ***
0 Helpful

pieterh
VIP
VIP

‎02-12-2019 02:48 AM

I guess the provider has given you subnet 192.210.14.76/30 for communication between his network and your firewall.

So an ip-address in this subnet is necessary for your ASA outside interface.

this subnet itself has no access from/to internet, but is necessary to communicate to the provider network.

(access is THROUGH this network, but not FROM this network)

 

your provides sees this subnet 192.210.14.144/29 behind your ASA

and routes it to the ASA with address in 192.210.14.76/30 network

you use the 192.210.14.144/29 adresses as outside NAT adresses on your ASA.

 

your ASA needs to be "normally" configured for an inside, DMZ, etc.

your firepower module needs an ip-address for management access, read firepower configuraton guide

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card