ASA 8.4 transparent mode active/active questions

Similar Messages

• Trying to figure out whether I can use an ASA cluster in Transparent mode to facilitate VRF based network ??

  Hi Guys,
  I had to re-post this here because I did not get any comments earlier.. hopefully I'll get something here.. :)
  I'm investigating the ways that I can use 2 x ASA (5525x) to accommodate Multi-tenancy situation with overlapping addresses. Unfortunately in this particular scenario we have to stick with 5525x firewalls.
  The ASAs are going to be placed in north-south traffic path between 2 routers and these routers need to be configured with multiple VRFs to segregate the traffic for each tenant with overlapping IP subnets ( We are not looking at NAT as a workaround for the time being).
  As we know, this ASA model won't support VRFs so we can't use the ASA as a intermediary routing hop and therefore this is not an option.. and using security contexts per VRF seems not scale-able enough (correct me if I'm wrong). So my thinking is that, if we put the ASAs in to the transparent mode and just use the ASAs as a layer 2 interconnect (configured with different VLANs connecting VRFs served by top and bottom routers)  I should be able to go up to maximum of 50 VRFs (since 5525x only supports 200 VLANs).  
  I'm also planning to use the 2 ASAs in a cluster mode to aggregate the bandwidth of both ASAs for better throughput.
  So I need to clarify following with you guys.. 
  1) Can I actually do this or am I missing something.
  2) Are there any limitations that I might run in to with this setup
  3) Is there anyone out there who's doing the same thing or can you think of a better way to tackle this scenario (with same hardware and requirements)
  4) Instead of using clustering, can I use simple Active/Stanby pare and still configure transparent mode and use it that way ?
  Appreciate your input.
  Thanks
  Shamal 

  There is a limitation on how many context you can have, which depends on the license you have.  This is quite possible with ASA multi routed mode and even with multi transparent mode.  You can have overlapping ip in each context without the need of using nat as long as you have unique mac address for each sub interface.
  Thanks

• Connectivity Issues Cisco ASA 5515 in Transparent Mode

  Hi,
  we´re having problems with one transparent mode setup at one customer site. The ASA is equiped with a CX Module, but we´re not using it, so far in the service policy rules it was enabled and matched all traffic, but in "monitor only" mode. There is a global acl that allows any-any-IP.
  Firewall-Info:
  - ASA Version 9.1(2) 
  - Interfaces gi0/0 + gi0/2 without any interface errors
  The ASA 5515x is configured as a "bump in the wire". In general our setup is working but with beginning of the installation of the firewall the customer faces following connection issues, without the firewall no problems:
  - Connections to SAP-Servers behind the MPLS begin to drop, affected all users
  - Incoming monitoring sessions (ping/snmp) from central management are facing ping timeouts, connection timeouts
  - http downloads are stopping, Customer: it will stop responding and the download will fail.
  In general the customer describes it this way: "We do not have the best connection here so once we connected the firewall all the problems are magnified"
  I recognized, that we unconfigured the default inspection during initial setup and reconfigured this entry for the cx module. So the the default inspection with all the settings are not present any more... How important are these settings? One phenomen is, that I´ve seen a large numbers of concurrent connections that increased over time. And we already had that situation, that the firewall reached the max-conn count.
  Should I try to reconfigure the default inspection, as it ships from factory? And whats the best way to check for problems? What can be the reason for the dropping connections?
  I attached a network plan and the firewall config, hopefully, that somebody has an idea. Of course I can provide additional information...
  Best Regards
  Sebastian

  Hi Vibhor,
  thanks for your reply. Does this also affect the traffic, even the setting is set to "Monitor Only" ?
  Is it recommend to configure the default-inspection rule as a default setting? 
  Further Question: I´ve read sth. about, that service policy rules must be "reloaded" to take effect, after they have been changed. Is that right and how do I reload them?
  Here is an output from sh asp drop, do I have to care about certain values? This values result from two connected users doing some downloads over a 2Mbit connection.
  ciscoasa# show asp drop
  Frame drop:
    Invalid encapsulation (invalid-encap)                                       10
    First TCP packet not SYN (tcp-not-syn)                                     114
    TCP failed 3 way handshake (tcp-3whs-failed)                                 3
    TCP RST/FIN out of order (tcp-rstfin-ooo)                                   18
    Dst MAC L2 Lookup Failed (dst-l2_lookup-fail)                               33
    L2 Src/Dst same LAN port (l2_same-lan-port)                                260
    FP L2 rule drop (l2_acl)                                                  2958
    Interface is down (interface-down)                                        9420
    No management IP address configured for TFW (tfw-no-mgmt-ip-config)        117
    Dropped pending packets in a closed socket (np-socket-closed)               66
  Thanks
  Sebastian

• ASA 55xx in transparent mode - switch ARP table?

  Guys,
  It's a basic question about how transparent mode firewalls communicate with the connecting switches.
  My understanding is that if I separate the LAN eg. 10.1.1.x with a transparent firewall than it will only "snoop" the traffic and will not change anything in the Ethernet header.
  Is it correct or still will replace the MAC address with the firewall physical interface address to send the frame to the connecting switch?
  e.g.
  client--------->switch------->transparent 5510-------->switch---------->server
  10.1.1.1                                                                                              10.1.1.100
  When the client sends the ARP to look up the hardware address of the server then what will that received back?
  The MAC address of the transparent ASA, or the server?
  Thank you!

  Source MAC address is never changed if the traffic is passing through same IP subnet (vlan). Here the firewall is in transparent mode and if it alter the source mac address communication will not happen. This is a very fundamental network concept. However it may recreate the same frame with same souce/destination mac addresses.
   

• ASA 5510 in Transparent Mode-Guidelines.

  Dear all,
  I need to convert routed mode to transparent mode on my ASA-5510 with inbuilt IPS.
  let me know which of the following features configured on my firewall will have issue if converted to transparent mode:
  1. static routes.
  2. object-groups.
  3. ACLS.
  4. URL-filter (Websense).
  5. IPS . ( i doubt this )
  6. have 3 data and 1 Mgmt interfaces.
  7. syslog.
  8. SNMP
  I'm sure point 5 and 6 will have issues, need to confirm.
  need to confirm this by EOD,
  ( 5 hours more).
  thanks in advance.
  Shukla.

  Does not participate in routing protocols but can still pass routing protocol traffic through it. You can define static routes for the traffic originated by the ASA.
  in transparante mode the devices dehind and infront of the firewall will be in the same ip subnet as the firewall will be a L2 device!!
  ACLs can be configured normally
  syslog as well
  obgect groups as well
  Address translation is inherent when a firewall is configured for routed mode. Beginning with
  ASA 8.0, address translation can be used in transparent mode as well
  Does not participate in multicast. However, it allows passing the multicast traffic through it using the ACLs.
  Does not support QoS.
  Inspects Layer 2 and higher packet headers
  as long as u can use
  policy-map global_policy
  then u can integrate with IPS if u mean AIP-ssm modul
  transparent also known as a Layer 2 firewall or a stealth firewall, because its
  interfaces have no IP addresses and cannot be detected or manipulated. Only a single
  management address can be configured on the firewall
  In transparent mode, a firewall can support only two interfaces-the inside and the outside. If
  your firewall supports more than two interfaces from a physical and licensing standpoint, you
  can assign the inside and outside to two interfaces arbitrarily. As soon as those interfaces are
  configured, the firewall does not permit a third interface to be configured.
  Some platforms also support a dedicated management interface, which can be used for all
  firewall management traffic. However, the management interface cannot be involved in
  accepting or inspecting user traffic
  Configure a management address:
  Firewall(config)# ip address ip_address subnet_mask
  The firewall can support only a single IP address for management purposes. The address is
  not bound to an interface, as in routed mode. Rather, it is assigned to the firewall itself,
  accessible from either of the bridged interfaces.
  The management address is used for all types of firewall management traffic, such as Telnet,
  SSH, HTTP, SNMP, Syslog, TFTP, FTP, and so on.
  A transparent firewall can also support multiple security contexts. In that case, interface IP
  addresses must be configured from the respective context. The system execution space uses
  the admin context interfaces and IP addresses for its management traffic
  You do not have to configure a static route for the subnet directly connected to the firewall
  interfaces. However, you should define one static route as a default route toward the outside
  public network
  i wish i covered all ur questions
  good luck
  if helpful Rate

• ASA Routed or Transparent mode

                     Hi ,
  I am planning to deploy ASA as internal Firewall ... as all the Inside and Outside zones will be having same Ip range . I am confused about its deployment . Can any1  help me on deciding on deploying it as Routed mode or transparent mode

  Transparent.
  Just the intro of the following file will answer your question:
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008089f467.shtml

• Cisco ASA 55XX Transparent mode VLAN traversing

  Hello Cisco Forum Team!
      In a scenario where the Cisco ASA is in Transparent mode, is it possible to transmit L2 traffic from other VLANs different than the native VLAN the management IP of the firewall resides?
  The switches on the outside and inside interfaces of the ASA are in trunk mode and I am trying to pass L2 VLAN ttraffic from inside to outside and vice-versa using filters on the switches (switchport trunk allowed vlan). 
  Thanks in advanced for your support and comments!

  Yes it is possible but you will be limited to 8 VLANs, or more accurately, 8 BVI interfaces so this is not a scalable solution.  The catch is that you will need to have different VLANs for the same subnet at either end of the ASA. 
  To clarify this, lets say you are using interface Gig0/1 and Gig0/2.  On Gig0/1 you would have configured subinterfaces with VLANs 2, 3, and 4.  Now if you try to configure these same VLANs on Gig0/2 you will get an error saying something like this VLAN is already configured on another interface...I don't remember the exact error. 
  So to get this working you would need to configure Gig0/2 with subinterfaces for VLANs...lets say...5, 6, and 7.  you would then associate VLANs 2 and 5 with BVI 1, VLANs 3 and 6 with BVI 2, and VLANs 4 and 7 with BVI 3.  Each BVI interface would have its own IP address for the subnet that is being bridged across the ASA.
  Please remember to select a correct answer and rate helpful posts

• ASA Transparent Mode - Stateful Inspection

  Hi Community,
  I would appreciate any input other may be able to provide on the behaviour of ASA when in Transparent mode.
  I have a few scenarios and am looking to confirm stateful inspection behaviour for.
  By default I shall block all traffic.
  1 - Flow initiated Inside to outside (Higher to Lower security interface)
       - Rule on inside
  2 - Flow Initiated Outside to Inside (Lower to Higher security interface)
       - Rule on Outside
       - Appears to require rule on inside to allow response - No Stateful inspection
  3 - Flow initiated Inside to Outside - With Application inspection (Higher to Lower)
       - Rule on inside + App inspection
  4 - Flow initiated Outside to Inside - With Application Inspection (Lower to Higher)
       - Rule on outside + App Inspection
       - Appears to require rule on inside to allow response - No Stateful Inspection
  The references guide could do with some clarification around transparent behaviour.
  Many thanks

  Hello,
  For flow innitiated on the inside to the outside you do not need an acl on the outside for the returning traffic, that is the main idea of the stateful inspection.
  As soon as you do not have any ACLs applied to the inside interface this will be like this:
  1 - Flow initiated Inside to outside (Higher to Lower security interface)
  2 - Flow Initiated Outside to Inside (Lower to Higher security interface)
       - Rule on Outside
       - Appears to require rule on inside to allow response - No Stateful inspection
  3 - Flow initiated Inside to Outside - With Application inspection (Higher to Lower)
      App inspection
  4 - Flow initiated Outside to Inside - With Application Inspection (Lower to Higher)
       - Rule on outside + App Inspection
  Regards,

• VRF issue with Firewall in transparent Mode.

  Hi Guys,
  I have 7609 Router and 6513 L3 Switch connected Through ASA 5545.
  I am running Multiple VRF between router and Switch and BGP routing Protocol. When they are connected directly to each other everything is normal, however, when I have connected them via ASA 5545 then everything fails. I am using ASA in transparent Mode.
  My question is: Do ASA require different setting in case of VRF? If yes, then please give me sample config.

  I have taken following output from Firewall will this be any help?
  sh interface ouTSIDE
  Interface GigabitEthernet0/1 "OUTSIDE", is up, line protocol is up
    Hardware is i82574L rev00, BW 1000 Mbps, DLY 10 usec
          Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
          Input flow control is unsupported, output flow control is off
          MAC address 7c69.f68f.df78, MTU 1500
          IP address 175.4.8.35, subnet mask 255.255.255.248
          8435 packets input, 680680 bytes, 0 no buffer
          Received 8135 broadcasts, 0 runts, 0 giants
          0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
          0 pause input, 0 resume input
          8138 L2 decode drops
          0 packets output, 0 bytes, 0 underruns
          0 pause output, 0 resume output
          0 output errors, 0 collisions, 1 interface resets
          0 late collisions, 0 deferred
          0 input reset drops, 0 output reset drops
          input queue (blocks free curr/low): hardware (476/461)
          output queue (blocks free curr/low): hardware (511/511)
    Traffic Statistics for "OUTSIDE":
          297 packets input, 118503 bytes
          0 packets output, 0 bytes
          297 packets dropped
        1 minute input rate 0 pkts/sec,  13 bytes/sec
        1 minute output rate 0 pkts/sec,  0 bytes/sec
        1 minute drop rate, 0 pkts/sec
        5 minute input rate 0 pkts/sec,  6 bytes/sec
        5 minute output rate 0 pkts/sec,  0 bytes/sec
        5 minute drop rate, 0 pkts/sec
  ciscoasa# show asp drop
  Frame drop:
    FP L2 rule drop (l2_acl)                                                   297
  ASA Version 9.0(1)
  firewall transparent
  ciscoasa# show module all
  Mod Card Type                                    Model              Serial No.
    0 ASA 5545-X with SW, 8 GE Data, 1 GE Mgmt     ASA5545           
  ips ASA 5545-X IPS Security Services Processor   ASA5545-IPS       
  Mod MAC Address Range                 Hw Version   Fw Version   Sw Version
    0 7c69.f68f.df77 to 7c69.f68f.df80  1.0          2.1(9)8      9.0(1)
  ips 7c69.f68f.df75 to 7c69.f68f.df75  N/A          N/A          7.1(4)E4
  Mod SSM Application Name           Status           SSM Application Version
  ips IPS                            Up               7.1(4)E4
  Mod Status             Data Plane Status     Compatibility
    0 Up Sys             Not Applicable
  ips Up                 Up
  Mod License Name   License Status  Time Remaining
  ips IPS Module     Enabled         perpetual
  ciscoasa#
  I have create Ehtertype ACL and permit any traffic.
  cdp traffic has passed through but I am still not able to ping :(

• IPS in Transparent Mode

  Hi,
  I need to know if the 5512X IPS will work if the ASA is in transparent mode and/or any limitations.
  Thanks.

  Hello,
  Yes, it can definetly run on transparent mode
  An ASA in transparent mode can run an AIP.  In the event the AIP fails,
  the IPS will fail-open and the ASA will continue to pass traffic.
  However, if an interface or cable fails, then traffic will stop.  You
  would need a failover pair to account for this failure event, which
  means another ASA and matching AIP."
  Regards,
  Julio

• Asa in active/active vpn solution licensing question

  Hello All
  I have a customer with the following requirements:
  1) A Cisco VPN Solution that will be support SSL VPN and Cisco Client VPN - The  solution will be a failover configuration running in an active-active set up.  The solution offered will be fully supported (i.e. it will not go into End of  Life or and lower level of support etc) by Cisco for the next 5 Years.
  a. We  would expect the devices to be similar to the ASA 5520 Appliance with  SW,HA,$GE+1FE,£DES/AES (Including ASA 5500 Advanced Endpoint ASS)
  2) User  licenses for the above - Please quote for both the following
  a. 500 appropriate SSL VPN User Licenses
  b. 250  appropriate SSL VPN User Licenses
  I am quoting them for the 500 ssl vpn bundle
  ASA5520-SSL500-K9 and for the
  ASA5520-BUN-K9.
  Is it right that in active/active  software 8.3 and above that the 500 ssl vpn licenses will be shared between the 2 asa's or will I need to have 250 licenses on each asa.
  Also I have read that in active/active I cannot use shared licenses, is this relevant in a vpn solution?
  http://www.cisco.com/en/US/docs/security/asa/asa84/license/license_management/license_86.html#wp2003381
  Url above has this “The  backup server mechanism is separate from, but compatible with,  failover.
  Shared  licenses are supported only in single context mode, so Active/Active failover is  not supported.”
  Also “Failover  Guidelines
  •Shared licenses are not supported in Active/Active mode. See the "Failover  and Shared Licenses" section for more  information.
  I also need to purchase the
  ASA-ADV-END-SEC and
  ASA-AC-M-5520 (any connect mobile) as the vpn client is eos/eol.
  Do I need to buy this for both asa's or can they share them in active/active mode.
  Thanks in advance.
  Feisal

  Hi Vibhor and thanks for the quick reply. We will be using version 9.3. I was aware that the ASA does not support PBR but I thought with the new code you could do some policy nat that could help influence the outbound flow?
  So in this case we have 2x ISPs and 2x public address space, one from each ISP. How is the NAT and routing handled by the ASA in this design?
  Can I not identify the guest subnet (192.168.0.0/22) and NAT this to a public address from ISP1 and also identify the corp subnets (10.x.x.x)  and NAT them to ISP2?
  My understanding (which is probably wrong) is that the NAT will select the egress interface rather than the routing table, so guest will be sent via ISP1 since the SVI interface of the ASA that connects to this ISP1 has an IP address from the same public address space..?
  Is that incorrect?
  Many thanks
  Rays

• Asa active/active questions

  if i have asa's configured as active/active;
  1. Is this situation treated as one? I mean can i manage this only with IDM?
  2. The 5520 can have 130,000 connections. If i am using 2 of this which is config active/active, can i say that am having 130,000X2=260,000 connections?
  thanks.

  1. In ASA, Active/Active can only be acrhived when both ASA is in Multiple Context Mode (Security Context). Multiple Context logically divides the ASA into multiple virtual firewall. You can refer to following configuration example.
  http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a008063b316.html#wp1035787
  In your case, you need to create 2 context in each ASA, say Context-A and Context-B. In ASA-1, it should be active for Context-A and standby for Context-B. While in ASA-2, it should be standby in Context-A and active for Context-B. You should be have seperate set of configuration for each Context.
  To manage the configuration, you can use ASDM.
  2. I am sorry, I don't know that

• Can two ASA build up a loadbalance such as active/active mode ?

  Hi, Professionals
  I am wondering if two ASA be able to build up a loadbalance such as active/active mode, balance the traffic, ?
  thanks in advance,
  Yang

  Yes, running the ASA's in active/active is so you can load balance traffic. Here's a link with more information.
  http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080834058.shtml
  Hope it helps.

• How to tell if Active/active or Active/Standby mode is configured?

  Folks:
  I am still learning the output of my running config, but how do I tell if my firewall is set to Actve/Active or Active/Standby mode?
  In addition, how do I tell if it uses regular or stateful failover mode?
  Thank you

  I wanted to provide this as well, since I found it and it also helped me answering my question.
  This output shows Active/Active failover output.
  **Note** it says PIX; however, I beleive it will be the same output for ASA.
  PIX1(config-subif)#show failover
  Failover On
  Cable status: N/A - LAN-based failover enabled
  Failover unit Primary
  Failover LAN Interface: LANFailover Ethernet3 (up)
  Unit Poll frequency 15 seconds, holdtime 45 seconds
  Interface Poll frequency 5 seconds, holdtime 25 seconds
  Interface Policy 1
  Monitored Interfaces 4 of 250 maximum
  Version: Ours 7.2(2), Mate 7.2(2)
  Group 1 last failover at: 06:12:45 UTC Apr 16 2007
  Group 2 last failover at: 06:12:43 UTC Apr 16 2007
    This host:    Primary
    Group 1       State:          Active
                  Active time:    359610 (sec)
    Group 2       State:          Standby Ready
                  Active time:    3165 (sec)
                    context1 Interface inside (192.168.1.1): Normal
                    context1 Interface outside (172.16.1.1): Normal
                    context2 Interface inside (192.168.2.2): Normal
                    context2 Interface outside (172.16.2.2): Normal
    Other host:   Secondary
    Group 1       State:          Standby Ready
                  Active time:    0 (sec)
    Group 2       State:          Active
                  Active time:    3900 (sec)
                    context1 Interface inside (192.168.1.2): Normal
                    context1 Interface outside (172.16.1.2): Normal
                    context2 Interface inside (192.168.2.1): Normal
                    context2 Interface outside (172.16.2.1): Normal

• Multiple context mode and Active Active

  Hi Everyone,
  ASA in multiple context  mode works as active active mode.
  ASA has 2 contexts admin and  x.
  We have 2  physical ASA say ASA1 and ASA2 .
  Under system context we have hostname ASA
  When i ssh to ASA1 it brings the ASA/admin mode.
  sh failover shows
  sh failover shows
  This host:    Primary
  This host:    Primary
  When i try to login to ASA 2 it brings me to ASA/x prompt.
  sh failover shows
    This context: Active
  Peer context: Standby Ready
  Need to  know is there any way that i can login to other physical ASA?
  i hope my question makes sense.
  Message was edited by: mahesh parmar

  Hi Mahesh,
  To it seems that you are logging to different contexts in these 2 cases.
  Normally an admin always logs to the "admin" context IP address owned either by the primary IP address for the Active unit or the secondary IP address for the Standby unit.
  So what I would suggest you do first is that you go to the context "admin" and issue the command "show run interface"
  Then go to the context "x" and issue the command "show run interface"
  Now check the IP addresses on the interfaces.
  Especially the interface on the "admin" context should contain an IP address for both of the ASA units. Check the interface IP address which originally lead you to the "admin" context.
  For example
  ip address 10.10.10.1 255.255.255.0 standby 10.10.10.2
  If the above were true you would connecto the IP address 10.10.10.1 when you wanted to connect to the Active unit and use the IP address 10.10.10.2 when you wanted to connect to the current Standby unit
  - Jouni