ASA Inside Interface IP's Best Practice

Mokhalil82 · ‎07-07-2015

Hi Guys

I have a core L3 switch, connected up to a HA pair of ASA Firewalls. Now I need to give the asa 2 x inside addresses (active/standby), management IP address and an IP for the firepower module. So I have 2 questions.

1) What is the best practice to assigning the inside interfaces the IP addresses, do I create a say /29 subnet on the core switch and assign 2 ips from there to the inside interface OR can I just use 2 IPs from my management subnet which has spare IPs. Im guessing Id best practice would be to create a new /29 subnet and assign from there but I would just like to conform.

2) Do the asa and firepower module use the same IP or separate, and can these both be from the management range.

Thanks

Reza Sharifi · ‎07-07-2015

Hi,

Are you using a physical port to manage each firewall i.e 0/0 and 1/0?

If that is the case, than you can create a new subnet (/28 or 29) just for management and give each physical interface an ip address. I think, you also need an IP address in the same segment for firepower module.

HTH

Mokhalil82 · ‎07-07-2015

Hi Reza

Yes Im using G0/1 on both firewalls for the inside interfaces.

For the management port I would use an IP from my internal management range. Now for the inside interfaces I know that both solutions (assigning IPs from m management range & creating a new /28 or /29 for the purpose) will work, but just trying to find which would be best practice

Reza Sharifi · ‎07-07-2015

Hi,

I personally would keep them separate just in case something happens to the inside interface, I can still access the box. This way I keep the management separate from data plane.

HTH