Lab Minutes Forum
Technical Discussion => Security => Topic started by: ozone007 on January 04, 2016, 01:50:18 AM
-
Hello guys i am doing sourcefire POC can anyone please guide me on the following
I have 5585 with source fire hardware module
Below is the topology after putting ASA 5585 {as of now there is no asa In between}
Plz check attachment
Core-1:
interface GigabitEthernet1/3
description Link to s-rl-ns-dat-1
ip address 10.200.0.1 255.255.255.252
ip flow egress
ip policy route-map NK_CO_INET
ip ospf network point-to-point
end
CORE-2:
interface GigabitEthernet1/5
description Link to s-rl-ns-dat-2
ip address 10.200.0.69 255.255.255.252
ip policy route-map NK_CO_INET
ip ospf network point-to-point
wrr-queue cos-map 2 2 3 6 7
wrr-queue cos-map 3 1 4
snmp ifindex persist
end
DAT-1:
interface GigabitEthernet1/1/7
description * Link to s-rl-ns-cor-1
no switchport
ip address 10.200.0.2 255.255.255.252
ip ospf network point-to-point
ip ospf cost 5
mls qos trust dscp
end
DAT-2:
interface GigabitEthernet2/1/7
description * Link to s-rl-ns-cor-2
no switchport
ip address 10.200.0.70 255.255.255.252
ip policy route-map NK_CO_INET
ip ospf network point-to-point
mls qos trust dscp
end
Please provide your suggestion how can we put ASA in transparent mode as shown in image .
-
First of all, you will probably need two security contexts, one for each uplink. Each context will be mapped to a unique pair of physical interfaces with traffic being bridged between the interfaces. Yo will need to change from /30 to /29 as each context will need on mgmt IP. You can then just redirect traffic to FP with policy map.
-
yes that i can understand about redirecting and sourcefire stuff but Client is not ready to change subnet in that case how can we achieve this ?
-
You can try not assigning IP to each production context (can't see why it would not be possible but please confirm) and use the third context exclusively for management.