ASA Transparent Mode Deployment Issue

Could you please be more specific as to what does not work.  How are you testing, from which IP to which IP is not working? Are you able to ping the switch from the ASA Firewall (not the transparent firewall)?
Please remember to rate and select a correct answer

Ok after a little research I think I have found a solution for you ( I am leaving out the policy map configs):
firewall transparent
hostname ASA-IPS
interface GigabitEthernet0/0.20
vlan 20
nameif Outside2
bridge-group 2
security-level 0
interface GigabitEthernet0/0.10
vlan 10
nameif Outside1
bridge-group 1
security-level 0
interface GigabitEthernet0/1.22
vlan 22
nameif Inside2
bridge-group 2
security-level 100
interface GigabitEthernet0/1.11
vlan 11
nameif Inside1
bridge-group 1
security-level 100
interface BVI1
ip address 10.10.10.10 255.255.255.0
interface BVI2
ip address 10.10.20.10 255.255.255.0
access-list inside_acl extended permit ip any any
access-list outside_acl extended permit ip any any
access-group outside_acl in interface Outside1
access-group inside_acl in interface Inside1
access-group outside_acl in interface Outside2
access-group inside_acl in interface Inside2
Also make sure that you amend the VLANs on the switch to correspond to the VLANs on the Transparent ASA.
Please remember to rate and select a correct answer

Similar Messages

  • ASA Transparent mode multicast traffic in 8.2 and 8.4

    Hi,
    When i configure 8.2 in trasparent mode and deploy the a network that was wrok on EIGRP after that i found the neighborship was stop when i allow the mutlicast address and prtocol on outside interface it was start the working But when i deploy an ASA with 8.4 IOS and then allow the multicast address and protocol both the interface (Inside and outside) after that it was start working.
    So i want to know that what the reasion to allow multicast address and protocol on 8.4 IOS for both interface. I am not able to find any answer for this.

    Hi Mahesh,
    By default ASA in transparent mode do not allow any packets not having a valid EtherType greater than or equal to 0x600. As per my knowledge this concept remain same for all versions of ASA. Most control plane protocols are denied.
    ASA in transparent mode only allows ARP, broadcast traffic, TCP and UDP inspected unicast traffic.
    For EIGRP to work through transparent firewall, we need to open ACLs in both direction for multicast and unicast both type of EIGRP traffic on all versions of ASA Firewall.

  • ASA transparent mode with secondary IP on the router

    Hi
    I have
    Router --- ASA (Transparent)----Switch
    and just wonder if it is possible to configure secondary IP on the router interface which is connected to ASA
    so there is plenty of room in terms of LAN IP range.
    Or to implement this, do I have change ASA to context mode and modify configuration on the ASA?
    hope I do not have to change anything on the ASA.
    Thanks

    ASA in transparant mode work as L2 device
    so what ever ips u use dosent matter
    u dont need to change anything in the ASA while it is in transperant mod
    but be careful of what is allowed to be passed through the firewall
    u can control it by ACLs
    the router and the switch u have will operat in L3 as thy connected directly or nothing between them from routing and layer three prespective
    so they shoud be in the same subnet VLAN and so on
    good lcuk
    please, if helpful rate

  • ASA Transparent Mode

    Hi Guys
    On the ASA running  the 8.4.4.1 code in transparent mode.
    Can I create sub interfaces in different vlans and attach them to different BVI groups?
    switch---trunk---ASA---Trunk---switch
    Gig0/1.1 vlan 100 bridge-gr1          Gig0/2.1 vlan 101 bridge-gr1
    Gig0/1.2 vlan 200 bridge-gr2          Gig0/2.2 vlan 201 bridge-gr2
    Is this possible?
    Thanks

    Hi,
    Yes you can do that. Please refer the below mentioned guide for better understanding.
    http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/interface_complete_transparent.html
    Please do rate if the given information helps.
    By
    Karthik

  • ASA Transparent Mode & Routing

    Since ASA in transparent mode acts like a cable, do I need to have the routes on the firewall except for the management?

    You need to put routes only for the traffic originating from the firewall.

  • ASA Transparent Mode - Stateful Inspection

    Hi Community,
    I would appreciate any input other may be able to provide on the behaviour of ASA when in Transparent mode.
    I have a few scenarios and am looking to confirm stateful inspection behaviour for.
    By default I shall block all traffic.
    1 - Flow initiated Inside to outside (Higher to Lower security interface)
         - Rule on inside
    2 - Flow Initiated Outside to Inside (Lower to Higher security interface)
         - Rule on Outside
         - Appears to require rule on inside to allow response - No Stateful inspection
    3 - Flow initiated Inside to Outside - With Application inspection (Higher to Lower)
         - Rule on inside + App inspection
    4 - Flow initiated Outside to Inside - With Application Inspection (Lower to Higher)
         - Rule on outside + App Inspection
         - Appears to require rule on inside to allow response - No Stateful Inspection
    The references guide could do with some clarification around transparent behaviour.
    Many thanks

    Hello,
    For flow innitiated on the inside to the outside you do not need an acl on the outside for the returning traffic, that is the main idea of the stateful inspection.
    As soon as you do not have any ACLs applied to the inside interface this will be like this:
    1 - Flow initiated Inside to outside (Higher to Lower security interface)
    2 - Flow Initiated Outside to Inside (Lower to Higher security interface)
         - Rule on Outside
         - Appears to require rule on inside to allow response - No Stateful inspection
    3 - Flow initiated Inside to Outside - With Application inspection (Higher to Lower)
        App inspection
    4 - Flow initiated Outside to Inside - With Application Inspection (Lower to Higher)
         - Rule on outside + App Inspection
    Regards,

  • ASA Transparent Mode For Multiple Subnets

    I am looking to replace a FortiGate firewall which is currently working in transparent mode handling mutiple subnets with ASA 5515.  Currently, I am testing transparent mode configuration on ASA 5505, and it will not forward any traffic that is not in the same subnet as IP address assigned to BV interface.
    For example, the following configuration works.
    10.0.0.3/24 (computer) ---> 10.0.0.2/24 (firewall) ---> 10.0.0.1/24 (computer)
    However, the following does not work
    10.0.0.3/24 (computer) ---> 10.10.0.2/24 (firewall) ---> 10.0.0.1/24 (computer)
    I thought that transparent mode is just a bump in the wire, so why does the IP address/subnet assigned to BV interface affects the traffic?  Is the ASA capable of handling other/multiple subnets in transparent mode other than the subnet assigned to BV interface?
    By the way, I used to run PIX 515E 7.2(2) transparent mode filtering multiple subnets.  The current ASA 5505 is on 9.0(1).  Is it the limitation on the ASA 5505 model but not on the more powerful ASA model?
    Thank you

    Thank you @ttemirgaliyev, I tried but multiple context is not supported by ASA 5505.
    I have an example of PIX configuration in transparent mode filtering multiple subnets.  I was using this configuration in production environment in the past.  I am wondering if ASA 5510 or higher can handle this setup.
    : Saved
    : Written by enable_15 at 10:57:25.766 UTC Wed Jul 16 xxxx
    PIX Version 7.2(2)
    firewall transparent
    hostname pixfirewall
    enable password xxxxxxxxxx encrypted
    names
    interface Ethernet0
    nameif outside
    security-level 0
    interface Ethernet0.1
    vlan 1
    no nameif
    no security-level
    interface Ethernet1
    nameif inside
    security-level 100
    interface Ethernet1.1
    no vlan
    no nameif
    no security-level
    passwd xxxxxxxxxx encrypted
    ftp mode passive
    access-list outside extended permit udp any host 10.0.0.210
    access-list outside extended permit udp any host 10.0.0.3
    access-list outside extended permit tcp any host 10.0.0.110 eq smtp
    access-list outside extended permit tcp any host 10.0.0.110 eq www
    access-list outside extended permit tcp any host 10.0.0.57 eq smtp
    access-list outside extended permit tcp any host 10.0.0.57 eq www
    access-list outside extended permit tcp any host 10.0.0.75 eq www
    access-list outside extended permit tcp any host 10.0.0.75 eq ftp
    access-list outside extended permit tcp any host 10.0.0.75 eq 5003
    access-list outside extended permit tcp any host 10.0.0.75 eq 403
    access-list outside extended permit tcp any host 10.0.0.75 eq 407
    access-list outside extended permit tcp any host 10.0.0.76 eq ftp
    access-list outside extended permit tcp any host 10.0.0.2 eq pcanywhere-data
    access-list outside extended permit udp any host 10.0.0.2 eq pcanywhere-status
    access-list outside extended permit tcp any host 10.0.10.61
    access-list outside extended permit tcp any host 10.0.10.62
    access-list outside extended permit tcp any host 10.0.10.63
    access-list outside extended permit tcp any host 10.0.10.64
    access-list outside extended permit tcp any host 10.0.13.225 eq ftp
    access-list outside extended permit tcp host 192.168.4.30 host 10.0.17.254 eq telnet
    access-list outside extended permit tcp any host 10.0.13.225 eq telnet
    access-list outside extended permit tcp any host 10.0.10.61 eq 50
    access-list outside extended permit udp any host 10.0.10.61 eq isakmp
    access-list outside extended permit tcp any host 10.0.10.62 eq 50
    access-list outside extended permit udp any host 10.0.10.62 eq isakmp
    access-list outside extended permit tcp any host 10.0.10.63 eq 50
    access-list outside extended permit udp any host 10.0.10.63 eq isakmp
    access-list outside extended permit tcp any host 10.0.10.64 eq 50
    access-list outside extended permit udp any host 10.0.10.64 eq isakmp
    access-list outside extended permit tcp any host 10.0.0.219
    access-list outside extended permit udp any host 10.0.0.219
    access-list outside extended permit udp any host 10.0.10.61
    access-list outside extended permit udp any host 10.0.10.62
    access-list outside extended permit udp any host 10.0.10.63
    access-list outside extended permit udp any host 10.0.10.64
    access-list outside extended permit icmp any host 10.0.10.29
    access-list outside extended permit tcp any host 10.0.10.29 eq ftp
    access-list outside extended permit tcp any gt 1023 host 10.0.10.29 eq ftp-data
    access-list outside extended permit tcp any host 10.0.0.110 eq pop3
    access-list outside extended permit tcp any host 10.0.0.57 eq pop3
    access-list outside extended permit tcp any host 10.0.10.27 eq pcanywhere-data
    access-list outside extended permit udp any host 10.0.10.27 eq pcanywhere-status
    access-list outside extended permit tcp any host 10.0.10.31 eq pcanywhere-data
    access-list outside extended permit udp any host 10.0.10.31 eq pcanywhere-status
    access-list outside extended permit tcp any host 10.0.0.222 eq pcanywhere-data
    access-list outside extended permit udp any host 10.0.0.222 eq pcanywhere-status
    access-list outside extended permit icmp any host 10.0.10.28
    access-list outside extended permit tcp any host 10.0.10.28 eq pptp
    access-list outside extended permit gre any host 10.0.10.28
    access-list outside extended permit ip any host 10.0.10.28
    access-list outside extended permit ip any host 10.0.10.29
    access-list outside extended permit tcp any host 10.0.10.25 eq 8234
    access-list outside extended permit tcp any host 10.0.17.217 eq 8234
    access-list outside extended permit tcp any host 10.0.17.217 eq 8235
    access-list outside extended permit tcp any host 10.0.17.217 eq www
    access-list outside extended permit ip any host 10.0.10.36
    access-list outside extended permit ip any host 10.0.10.37
    access-list outside extended permit ip any host 10.0.10.38
    access-list outside extended permit ip any host 10.0.10.39
    access-list outside extended permit ip any host 10.0.10.40
    access-list outside extended permit ip any host 10.0.10.41
    access-list outside extended permit tcp any host 10.0.0.235 eq www
    access-list outside extended permit tcp any host 10.0.10.2 eq www
    access-list outside extended permit tcp any host 10.0.10.2 eq 3389
    access-list outside extended permit tcp host 192.168.1.234 host 10.0.0.211 eq 4899
    access-list outside extended permit tcp any host 10.0.0.211 eq www
    access-list outside extended permit tcp any host 10.0.10.35 eq www
    access-list outside extended permit tcp any host 10.0.10.36 eq www
    access-list outside extended permit tcp any host 10.0.10.37 eq www
    access-list outside extended permit tcp any host 10.0.10.38 eq www
    access-list outside extended permit tcp any host 10.0.10.39 eq www
    access-list outside extended permit tcp any host 10.0.10.40 eq www
    access-list outside extended permit tcp any host 10.0.10.41 eq www
    access-list outside extended permit tcp any host 10.0.0.110 eq https
    access-list outside extended permit tcp any host 10.0.0.57 eq https
    access-list outside extended permit tcp any host 10.0.0.75 eq https
    access-list outside extended permit tcp any host 10.0.17.217 eq https
    access-list outside extended permit tcp any host 10.0.0.234 eq 220
    access-list outside extended permit tcp any host 10.0.0.235 eq https
    access-list outside extended permit tcp any host 10.0.10.2 eq https
    access-list outside extended permit tcp any host 10.0.0.211 eq https
    access-list outside extended permit tcp any host 10.0.10.35 eq https
    access-list outside extended permit tcp any host 10.0.10.36 eq https
    access-list outside extended permit tcp any host 10.0.10.37 eq https
    access-list outside extended permit tcp any host 10.0.10.38 eq https
    access-list outside extended permit tcp any host 10.0.10.39 eq https
    access-list outside extended permit tcp any host 10.0.10.40 eq https
    access-list outside extended permit tcp any host 10.0.10.41 eq https
    access-list outside extended permit tcp any host 10.0.10.35 eq 8234
    access-list outside extended permit tcp any host 10.0.10.36 eq 8234
    access-list outside extended permit tcp any host 10.0.10.37 eq 8234
    access-list outside extended permit tcp any host 10.0.10.38 eq 8234
    access-list outside extended permit tcp any host 10.0.10.39 eq 8234
    access-list outside extended permit tcp any host 10.0.10.40 eq 8234
    access-list outside extended permit tcp any host 10.0.10.41 eq 8234
    access-list outside extended permit tcp any host 10.0.10.35 eq 8235
    access-list outside extended permit tcp any host 10.0.10.36 eq 8235
    access-list outside extended permit tcp any host 10.0.10.37 eq 8235
    access-list outside extended permit tcp any host 10.0.10.38 eq 8235
    access-list outside extended permit tcp any host 10.0.10.39 eq 8235
    access-list outside extended permit tcp any host 10.0.10.40 eq 8235
    access-list outside extended permit tcp any host 10.0.10.41 eq 8235
    access-list outside extended permit udp any host 10.0.0.222
    access-list outside extended permit gre any any
    access-list outside extended permit ip host 10.0.10.28 any
    access-list outside extended permit ip host 10.0.0.211 any
    access-list outside extended permit ip host 10.0.10.35 any
    access-list outside extended permit ip host 10.0.10.36 any
    access-list outside extended permit ip host 10.0.10.37 any
    access-list outside extended permit ip host 10.0.10.38 any
    access-list outside extended permit ip host 10.0.10.39 any
    access-list outside extended permit ip host 10.0.10.40 any
    access-list outside extended permit ip host 10.0.10.41 any
    access-list outside extended permit ip host 10.0.0.222 any
    access-list outside extended permit ip host 10.0.0.234 any
    access-list outside extended permit icmp host 10.0.0.234 any
    access-list outside extended permit tcp any host 10.0.0.235 eq 3389
    access-list outside extended permit ip host 10.0.0.254 any
    access-list outside extended permit tcp any host 10.0.0.2 eq 3389
    access-list outside extended permit tcp any host 10.0.13.240 eq 5900
    access-list outside extended permit udp any host 10.0.13.240 eq 5900
    access-list outside extended permit tcp any host 10.0.13.240 eq 3283
    access-list outside extended permit udp any host 10.0.13.240 eq 3283
    access-list outside extended permit tcp any host 10.0.13.240 eq ssh
    access-list outside extended permit tcp any host 10.0.10.12 eq www
    access-list outside extended permit tcp any host 10.0.0.212 eq www
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address 10.0.0.230 255.255.255.0
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    access-group outside in interface outside
    route outside 0.0.0.0 0.0.0.0 10.0.0.254 1
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout uauth 0:05:00 absolute
    snmp-server host inside 10.0.0.234 community xxxx
    no snmp-server location
    no snmp-server contact
    snmp-server community xxxx
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    snmp-server enable traps syslog
    telnet timeout 5
    ssh 0.0.0.0 0.0.0.0 outside
    ssh 0.0.0.0 0.0.0.0 inside
    ssh timeout 60
    console timeout 0
    prompt hostname context
    Cryptochecksum:c887f562a196123a335c5ebeba0ad482
    : end

  • ASA transparent mode vlan question

    Hi i was going through ASA 5505 doco and i found the follwoing
    In transparent firewall mode, you can configure two active VLANs in the Base license and three active
    VLANs in the Security Plus license, one of which must be for failover.
    So if i want to trunk 3 vlans can i do it or not it says that on eof them should be used for failover what does that mean i  thought that we can use a failover using a IP address on interface???
    my scenario is that my two ASA 5505 firewalls will be connected to two 3750 switches and i need 3 vlans to come to my outside ASA interface.

    As per:
    http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/97853-Transparent-firewall.html#backinfo
    Only two interface can be used for data, and a 3rd one for failover.
    Regards,
    Felipe.
    Remember to rate useful posts.

  • Connectivity Issues Cisco ASA 5515 in Transparent Mode

    Hi,
    we´re having problems with one transparent mode setup at one customer site. The ASA is equiped with a CX Module, but we´re not using it, so far in the service policy rules it was enabled and matched all traffic, but in "monitor only" mode. There is a global acl that allows any-any-IP.
    Firewall-Info:
    - ASA Version 9.1(2) 
    - Interfaces gi0/0 + gi0/2 without any interface errors
    The ASA 5515x is configured as a "bump in the wire". In general our setup is working but with beginning of the installation of the firewall the customer faces following connection issues, without the firewall no problems:
    - Connections to SAP-Servers behind the MPLS begin to drop, affected all users
    - Incoming monitoring sessions (ping/snmp) from central management are facing ping timeouts, connection timeouts
    - http downloads are stopping, Customer: it will stop responding and the download will fail.
    In general the customer describes it this way: "We do not have the best connection here so once we connected the firewall all the problems are magnified"
    I recognized, that we unconfigured the default inspection during initial setup and reconfigured this entry for the cx module. So the the default inspection with all the settings are not present any more... How important are these settings? One phenomen is, that I´ve seen a large numbers of concurrent connections that increased over time. And we already had that situation, that the firewall reached the max-conn count.
    Should I try to reconfigure the default inspection, as it ships from factory? And whats the best way to check for problems? What can be the reason for the dropping connections?
    I attached a network plan and the firewall config, hopefully, that somebody has an idea. Of course I can provide additional information...
    Best Regards
    Sebastian

    Hi Vibhor,
    thanks for your reply. Does this also affect the traffic, even the setting is set to "Monitor Only" ?
    Is it recommend to configure the default-inspection rule as a default setting? 
    Further Question: I´ve read sth. about, that service policy rules must be "reloaded" to take effect, after they have been changed. Is that right and how do I reload them?
    Here is an output from sh asp drop, do I have to care about certain values? This values result from two connected users doing some downloads over a 2Mbit connection.
    ciscoasa# show asp drop
    Frame drop:
      Invalid encapsulation (invalid-encap)                                       10
      First TCP packet not SYN (tcp-not-syn)                                     114
      TCP failed 3 way handshake (tcp-3whs-failed)                                 3
      TCP RST/FIN out of order (tcp-rstfin-ooo)                                   18
      Dst MAC L2 Lookup Failed (dst-l2_lookup-fail)                               33
      L2 Src/Dst same LAN port (l2_same-lan-port)                                260
      FP L2 rule drop (l2_acl)                                                  2958
      Interface is down (interface-down)                                        9420
      No management IP address configured for TFW (tfw-no-mgmt-ip-config)        117
      Dropped pending packets in a closed socket (np-socket-closed)               66
    Thanks
    Sebastian

  • Transparent mode ASA and management

    I have just installed a new ASA5512 in transparent mode. This is the first time I have done this type of installation and have been having some issues getting remote management to the device. I have configured a BVI interface for management with an IP of 10.252.255.25.
    The network looks like this......
    172.19.130.5 --- LAN --- Router --- MPLS --- Router 10.252.255.30 ---- ASA Gi0/1 ---- ASAGi0/0 ----- Switch to LAN ---- 10.252.0.0 clients
    So, from my management workstation on 172.19.130.5 I can ping the router at 10.252.255.30, I can also ping and manage the client machines on the 10.252.0.0 network on the other side of the ASA but I cant manage the ASA on 10.252.255.25. It going to be something I haven't done so any help would be greatly appreciated.
    Please see config attached.
    Murray

    So I have managed to get the very helpful guy on site to capture some packets. When I try to SSH to the device no packets are captured, however, if I try to SSH to an IP on the other side of the FW I get packets being captured as shown below.
    I have gone over the config but still can't find a problem, I'm close to pulling my hair out on this one.
    TEE-FDC-FW01# cap capin int inside match tcp any any eq 22
    TEE-FDC-FW01# sh cap capin
    6 packets captured
    1: 15:41:50.028852 10.64.68.32.20472 > 10.252.200.13.22: S 4240694991:4240694991(0) win 8192
    2: 15:41:50.030317 10.252.200.13.22 > 10.64.68.32.20472: R 0:0(0) ack 4240694992 win 0
    3: 15:41:50.563447 10.64.68.32.20472 > 10.252.200.13.22: S 1154043407:1154043407(0) win 8192
    4: 15:41:50.564820 10.252.200.13.22 > 10.64.68.32.20472: R 0:0(0) ack 1154043408 win 0
    5: 15:41:51.094508 10.64.68.32.20472 > 10.252.200.13.22: S 386805799:386805799(0) win 8192
    6: 15:41:51.095667 10.252.200.13.22 > 10.64.68.32.20472: R 0:0(0) ack 386805800 win 0
    6 packets shown
    Sent from Cisco Technical Support iPad App

  • ASA Routed/Transparent Mode - Advice

    Hi guys,
    I'm looking for some advice regarding the deployment of an ASA. I have two networks separated by a routed link (layer 3 switch to layer 3 switch). I would like to deploy an ASA between the two networks for increased security. I'm leaning toward transparent mode so I don't have to have an additional IP subnetwork configured, and because deployment seems a little 'easier'.
    I would welcome any feedback.
    Thanks.

    Hi,
    So there is 2 networks which are separated by a routed link between the L3 switches? Have you considered simply moving the LAN and Link networks IP address to a Routed Mode ASAs interfaces when inserting it between these networks or is there something on the L3 switch that prevents this?
    Naturally you can use the ASA in Transparent Mode also. I have not deployed Transparent ASAs as usually the Routed Mode has been required. Even firewalls installed to internal networks (like between factory automation and office networks) have always been in Routed mode.
    Looking at the ASA Configuration Guide the limitations set by the Transparent Mode are not something that would prevent us from using them instead of the current setups. I would imagine that the most important limitation in many setups has usually been the fact that the VPN is not supported in Transparent mode though I guess in your case that would not be a problem.
    The ASA Configuration Guide section on Transparent mode (guidelines/limitations) can be found here:
    http://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/general/asa-general-cli/intro-fw.html#pgfId-1501525
    - Jouni

  • ASA 5510 in Transparent Mode-Guidelines.

    Dear all,
    I need to convert routed mode to transparent mode on my ASA-5510 with inbuilt IPS.
    let me know which of the following features configured on my firewall will have issue if converted to transparent mode:
    1. static routes.
    2. object-groups.
    3. ACLS.
    4. URL-filter (Websense).
    5. IPS . ( i doubt this )
    6. have 3 data and 1 Mgmt interfaces.
    7. syslog.
    8. SNMP
    I'm sure point 5 and 6 will have issues, need to confirm.
    need to confirm this by EOD,
    ( 5 hours more).
    thanks in advance.
    Shukla.

    Does not participate in routing protocols but can still pass routing protocol traffic through it. You can define static routes for the traffic originated by the ASA.
    in transparante mode the devices dehind and infront of the firewall will be in the same ip subnet as the firewall will be a L2 device!!
    ACLs can be configured normally
    syslog as well
    obgect groups as well
    Address translation is inherent when a firewall is configured for routed mode. Beginning with
    ASA 8.0, address translation can be used in transparent mode as well
    Does not participate in multicast. However, it allows passing the multicast traffic through it using the ACLs.
    Does not support QoS.
    Inspects Layer 2 and higher packet headers
    as long as u can use
    policy-map global_policy
    then u can integrate with IPS if u mean AIP-ssm modul
    transparent also known as a Layer 2 firewall or a stealth firewall, because its
    interfaces have no IP addresses and cannot be detected or manipulated. Only a single
    management address can be configured on the firewall
    In transparent mode, a firewall can support only two interfaces-the inside and the outside. If
    your firewall supports more than two interfaces from a physical and licensing standpoint, you
    can assign the inside and outside to two interfaces arbitrarily. As soon as those interfaces are
    configured, the firewall does not permit a third interface to be configured.
    Some platforms also support a dedicated management interface, which can be used for all
    firewall management traffic. However, the management interface cannot be involved in
    accepting or inspecting user traffic
    Configure a management address:
    Firewall(config)# ip address ip_address subnet_mask
    The firewall can support only a single IP address for management purposes. The address is
    not bound to an interface, as in routed mode. Rather, it is assigned to the firewall itself,
    accessible from either of the bridged interfaces.
    The management address is used for all types of firewall management traffic, such as Telnet,
    SSH, HTTP, SNMP, Syslog, TFTP, FTP, and so on.
    A transparent firewall can also support multiple security contexts. In that case, interface IP
    addresses must be configured from the respective context. The system execution space uses
    the admin context interfaces and IP addresses for its management traffic
    You do not have to configure a static route for the subnet directly connected to the firewall
    interfaces. However, you should define one static route as a default route toward the outside
    public network
    i wish i covered all ur questions
    good luck
    if helpful Rate

  • Cisco ASA 5512 Transparent mode

                       Hi all - hope this is the right place to ask this question-
    I'm having trouble understanding how to configure an ASA 5512X in what should be a really easy way -
    I simply want the ASA to be a transparent Layer 2 "bump" in a routed link between two networks, and then I'll use the Management interface to actually see the firewall ASDM,Syslog, configure, etc.
    I have the interfaces set up thusly:
    interface GigabitEthernet0/0
    nameif UnTrustedNetwork
    security-level 0
    interface GigabitEthernet0/1
    nameif TrustedNetwork
    security-level 100
    interface Management0/0
    nameif ManagementAccess
    security-level 100
    ip address 192.168.X.Y 255.255.255.0
    management-only
    I cannot figure out how to install a default route so that interface Management0/0 with it's IP of 192.168.X.Y can be reached from
    other networks, like 10.6.X.Y, etc.
    I thought the point of a Management interface was that you could set things up in such a way that the Management interface
    was the only way you could access the firewall, and you did not have to have IP addresses on the Gig interfaces,
    (at least not in transparent mode, for NAT you obviously would have to)
    I tried to add a static route entry to 10.6.X.Y , but
    when I typed "route.." my only available destination interfaces were either TrustedNetwork or UnTrustedNetwork ??
    How do I configure the Management interface for non-local subnets to be reachable on the firewall in transparent mode?

    transparent firewall is configured differently from routed mode.
    here's a basic config required:
    firewall transparent               (erases the current config; does not require a reboot)
    interface BVI1
    ip address 192.168.10.10 255.255.255.0
    interface GigabitEthernet0
    nameif outside
    bridge-group 1
    security-level 0
    interface GigabitEthernet1
    nameif inside
    bridge-group 1
    security-level 100
    route outside 0.0.0.0 0.0.0.0 192.168.10.254
    route inside 10.0.0.0 255.0.0.0 192.168.10.100
    I think that you need a BVI interface with an IP address before the ASA starts forwarding traffic
    The old syntax (pre 8.3 or 8.2 not sure) forces only 2 interfaces and no BVI was configured... the IP was assigned in global config.
    Hope that helps,
    Patrick

  • Trying to figure out whether I can use an ASA cluster in Transparent mode to facilitate VRF based network ??

    Hi Guys,
    I had to re-post this here because I did not get any comments earlier.. hopefully I'll get something here.. :)
    I'm investigating the ways that I can use 2 x ASA (5525x) to accommodate Multi-tenancy situation with overlapping addresses. Unfortunately in this particular scenario we have to stick with 5525x firewalls.
    The ASAs are going to be placed in north-south traffic path between 2 routers and these routers need to be configured with multiple VRFs to segregate the traffic for each tenant with overlapping IP subnets ( We are not looking at NAT as a workaround for the time being).
    As we know, this ASA model won't support VRFs so we can't use the ASA as a intermediary routing hop and therefore this is not an option.. and using security contexts per VRF seems not scale-able enough (correct me if I'm wrong). So my thinking is that, if we put the ASAs in to the transparent mode and just use the ASAs as a layer 2 interconnect (configured with different VLANs connecting VRFs served by top and bottom routers)  I should be able to go up to maximum of 50 VRFs (since 5525x only supports 200 VLANs).  
    I'm also planning to use the 2 ASAs in a cluster mode to aggregate the bandwidth of both ASAs for better throughput.
    So I need to clarify following with you guys.. 
    1) Can I actually do this or am I missing something.
    2) Are there any limitations that I might run in to with this setup
    3) Is there anyone out there who's doing the same thing or can you think of a better way to tackle this scenario (with same hardware and requirements)
    4) Instead of using clustering, can I use simple Active/Stanby pare and still configure transparent mode and use it that way ?
    Appreciate your input.
    Thanks
    Shamal 

    There is a limitation on how many context you can have, which depends on the license you have.  This is quite possible with ASA multi routed mode and even with multi transparent mode.  You can have overlapping ip in each context without the need of using nat as long as you have unique mac address for each sub interface.
    Thanks

  • VRF issue with Firewall in transparent Mode.

    Hi Guys,
    I have 7609 Router and 6513 L3 Switch connected Through ASA 5545.
    I am running Multiple VRF between router and Switch and BGP routing Protocol. When they are connected directly to each other everything is normal, however, when I have connected them via ASA 5545 then everything fails. I am using ASA in transparent Mode.
    My question is: Do ASA require different setting in case of VRF? If yes, then please give me sample config.

    I have taken following output from Firewall will this be any help?
    sh interface ouTSIDE
    Interface GigabitEthernet0/1 "OUTSIDE", is up, line protocol is up
      Hardware is i82574L rev00, BW 1000 Mbps, DLY 10 usec
            Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
            Input flow control is unsupported, output flow control is off
            MAC address 7c69.f68f.df78, MTU 1500
            IP address 175.4.8.35, subnet mask 255.255.255.248
            8435 packets input, 680680 bytes, 0 no buffer
            Received 8135 broadcasts, 0 runts, 0 giants
            0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
            0 pause input, 0 resume input
            8138 L2 decode drops
            0 packets output, 0 bytes, 0 underruns
            0 pause output, 0 resume output
            0 output errors, 0 collisions, 1 interface resets
            0 late collisions, 0 deferred
            0 input reset drops, 0 output reset drops
            input queue (blocks free curr/low): hardware (476/461)
            output queue (blocks free curr/low): hardware (511/511)
      Traffic Statistics for "OUTSIDE":
            297 packets input, 118503 bytes
            0 packets output, 0 bytes
            297 packets dropped
          1 minute input rate 0 pkts/sec,  13 bytes/sec
          1 minute output rate 0 pkts/sec,  0 bytes/sec
          1 minute drop rate, 0 pkts/sec
          5 minute input rate 0 pkts/sec,  6 bytes/sec
          5 minute output rate 0 pkts/sec,  0 bytes/sec
          5 minute drop rate, 0 pkts/sec
    ciscoasa# show asp drop
    Frame drop:
      FP L2 rule drop (l2_acl)                                                   297
    ASA Version 9.0(1)
    firewall transparent
    ciscoasa# show module all
    Mod Card Type                                    Model              Serial No.
      0 ASA 5545-X with SW, 8 GE Data, 1 GE Mgmt     ASA5545           
    ips ASA 5545-X IPS Security Services Processor   ASA5545-IPS       
    Mod MAC Address Range                 Hw Version   Fw Version   Sw Version
      0 7c69.f68f.df77 to 7c69.f68f.df80  1.0          2.1(9)8      9.0(1)
    ips 7c69.f68f.df75 to 7c69.f68f.df75  N/A          N/A          7.1(4)E4
    Mod SSM Application Name           Status           SSM Application Version
    ips IPS                            Up               7.1(4)E4
    Mod Status             Data Plane Status     Compatibility
      0 Up Sys             Not Applicable
    ips Up                 Up
    Mod License Name   License Status  Time Remaining
    ips IPS Module     Enabled         perpetual
    ciscoasa#
    I have create Ehtertype ACL and permit any traffic.
    cdp traffic has passed through but I am still not able to ping :(

Maybe you are looking for