ASA Transparent Mode For Multiple Subnets

Similar Messages

• Failure when FWSM in transparent mode with multiple contexts

  hi experts,
              We have two FWSMs working in active/standby state,  configured with multiple contexts in transparent mode. and the "outside" and "inside" interfaces for each context are in same subnet. 
              Now we have one FWSM broken and the RMA part can't arrived in short time, so  we have the risk that the sencond FWSM could be failed as well.   In the worst case if the two was broken or powered off simultaneously,   i wonder that if the communications between multiple contexts could be ok???
  thanks in advance.

  The software requirements for Cisco Secure ACS are dependent on the type of Extensible Authentication Protocol (EAP) desired. For full support of all the EAP types including EAP-Flexible Authentication via Secure Tunneling (FAST), use release 3.2.3 or higher.
  http://www.cisco.com/en/US/netsol/ns340/ns394/ns431/ns434/networking_solutions_implementation_guide09186a008038906c.html

• ASA Transparent mode multicast traffic in 8.2 and 8.4

  Hi,
  When i configure 8.2 in trasparent mode and deploy the a network that was wrok on EIGRP after that i found the neighborship was stop when i allow the mutlicast address and prtocol on outside interface it was start the working But when i deploy an ASA with 8.4 IOS and then allow the multicast address and protocol both the interface (Inside and outside) after that it was start working.
  So i want to know that what the reasion to allow multicast address and protocol on 8.4 IOS for both interface. I am not able to find any answer for this.

  Hi Mahesh,
  By default ASA in transparent mode do not allow any packets not having a valid EtherType greater than or equal to 0x600. As per my knowledge this concept remain same for all versions of ASA. Most control plane protocols are denied.
  ASA in transparent mode only allows ARP, broadcast traffic, TCP and UDP inspected unicast traffic.
  For EIGRP to work through transparent firewall, we need to open ACLs in both direction for multicast and unicast both type of EIGRP traffic on all versions of ASA Firewall.

• ASA transparent mode with secondary IP on the router

  Hi
  I have
  Router --- ASA (Transparent)----Switch
  and just wonder if it is possible to configure secondary IP on the router interface which is connected to ASA
  so there is plenty of room in terms of LAN IP range.
  Or to implement this, do I have change ASA to context mode and modify configuration on the ASA?
  hope I do not have to change anything on the ASA.
  Thanks

  ASA in transparant mode work as L2 device
  so what ever ips u use dosent matter
  u dont need to change anything in the ASA while it is in transperant mod
  but be careful of what is allowed to be passed through the firewall
  u can control it by ACLs
  the router and the switch u have will operat in L3 as thy connected directly or nothing between them from routing and layer three prespective
  so they shoud be in the same subnet VLAN and so on
  good lcuk
  please, if helpful rate

• ASA Transparent Mode

  Hi Guys
  On the ASA running  the 8.4.4.1 code in transparent mode.
  Can I create sub interfaces in different vlans and attach them to different BVI groups?
  switch---trunk---ASA---Trunk---switch
  Gig0/1.1 vlan 100 bridge-gr1          Gig0/2.1 vlan 101 bridge-gr1
  Gig0/1.2 vlan 200 bridge-gr2          Gig0/2.2 vlan 201 bridge-gr2
  Is this possible?
  Thanks

  Hi,
  Yes you can do that. Please refer the below mentioned guide for better understanding.
  http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/interface_complete_transparent.html
  Please do rate if the given information helps.
  By
  Karthik

• ASA Transparent Mode & Routing

  Since ASA in transparent mode acts like a cable, do I need to have the routes on the firewall except for the management?

  You need to put routes only for the traffic originating from the firewall.

• ASA Transparent Mode - Stateful Inspection

  Hi Community,
  I would appreciate any input other may be able to provide on the behaviour of ASA when in Transparent mode.
  I have a few scenarios and am looking to confirm stateful inspection behaviour for.
  By default I shall block all traffic.
  1 - Flow initiated Inside to outside (Higher to Lower security interface)
       - Rule on inside
  2 - Flow Initiated Outside to Inside (Lower to Higher security interface)
       - Rule on Outside
       - Appears to require rule on inside to allow response - No Stateful inspection
  3 - Flow initiated Inside to Outside - With Application inspection (Higher to Lower)
       - Rule on inside + App inspection
  4 - Flow initiated Outside to Inside - With Application Inspection (Lower to Higher)
       - Rule on outside + App Inspection
       - Appears to require rule on inside to allow response - No Stateful Inspection
  The references guide could do with some clarification around transparent behaviour.
  Many thanks

  Hello,
  For flow innitiated on the inside to the outside you do not need an acl on the outside for the returning traffic, that is the main idea of the stateful inspection.
  As soon as you do not have any ACLs applied to the inside interface this will be like this:
  1 - Flow initiated Inside to outside (Higher to Lower security interface)
  2 - Flow Initiated Outside to Inside (Lower to Higher security interface)
       - Rule on Outside
       - Appears to require rule on inside to allow response - No Stateful inspection
  3 - Flow initiated Inside to Outside - With Application inspection (Higher to Lower)
      App inspection
  4 - Flow initiated Outside to Inside - With Application Inspection (Lower to Higher)
       - Rule on outside + App Inspection
  Regards,

• RV320: Need to use as gateway for multiple subnets

  We just purchased an RV320 as a replacement/upgrade to an RV042. Our Internet connection was upgraded to 200Mbps and the RV042 wouldn't handle that throughput.
  Our internal network has 4 subnets, all connected via a layer 3 switch. The RV320 is connected to one of those subnets and is the default gateway for the entire network.
  The RV042 had a "multiple subnets" setting that allowed it to perform NAT for the directly connected subnet and the other 3 subnets in our network. We would just add the other networks to the list in the RV042 and everything was fine.
  The RV320 doesn't seem to have the same functionality (or am I missing something?). It looks like there is some sort of multiple subnet support, but when we try to add another subnet the interface seems to be asking us to define a single IP address in that subnet (an IP address for the router?) as if all subnets will be directly attached to the router using VLANs (which is not the case in our network).
  We can set up the "advanced routing" option to define the other 3 internal subnets and how to route to them, etc. but will the RV320 perform NAT for the other subnets without any adidtional configuration?
  Can anyone shed any light on this?
  Many thanks!

  Precept,
  My name is Ismael, iam with Small Business Support Center. I like to start by asking is there a  particular reason that the switch is handling Layer 3/or DHCP? Normally when an RV042 is implemented you would need a Layer 3 switch as the RV042 only supports one DHCP scope.In addition all The RV0XX series does not support 802.1q VLAN.
  With RV320 you can setup multiple subnets under advance routing and still allow for it to pass DHCP for all of your 4 subnets and create 801.2q Vlan subinterfaces . Setting RV320 in this manner can create an ease in managing the network.
  If you are considering the RV320 to do Layer 3 / DHCP simply create your 4 Vlans or subnets. Add them to the DHCP scope and enable DHCP server for all subnets. Switch would have to be configured to Layer 2 for this to work.  The link below is a knowledge portal that could assist in creating DHCP and Vlans. Hope this helps you.
  http://sbkb.cisco.com/

• ASA transparent mode vlan question

  Hi i was going through ASA 5505 doco and i found the follwoing
  In transparent firewall mode, you can configure two active VLANs in the Base license and three active
  VLANs in the Security Plus license, one of which must be for failover.
  So if i want to trunk 3 vlans can i do it or not it says that on eof them should be used for failover what does that mean i  thought that we can use a failover using a IP address on interface???
  my scenario is that my two ASA 5505 firewalls will be connected to two 3750 switches and i need 3 vlans to come to my outside ASA interface.

  As per:
  http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/97853-Transparent-firewall.html#backinfo
  Only two interface can be used for data, and a 3rd one for failover.
  Regards,
  Felipe.
  Remember to rate useful posts.

• ASA Transparent Mode Deployment Issue

  Could you please be more specific as to what does not work.  How are you testing, from which IP to which IP is not working? Are you able to ping the switch from the ASA Firewall (not the transparent firewall)?
  Please remember to rate and select a correct answer

  Ok after a little research I think I have found a solution for you ( I am leaving out the policy map configs):
  firewall transparent
  hostname ASA-IPS
  interface GigabitEthernet0/0.20
  vlan 20
  nameif Outside2
  bridge-group 2
  security-level 0
  interface GigabitEthernet0/0.10
  vlan 10
  nameif Outside1
  bridge-group 1
  security-level 0
  interface GigabitEthernet0/1.22
  vlan 22
  nameif Inside2
  bridge-group 2
  security-level 100
  interface GigabitEthernet0/1.11
  vlan 11
  nameif Inside1
  bridge-group 1
  security-level 100
  interface BVI1
  ip address 10.10.10.10 255.255.255.0
  interface BVI2
  ip address 10.10.20.10 255.255.255.0
  access-list inside_acl extended permit ip any any
  access-list outside_acl extended permit ip any any
  access-group outside_acl in interface Outside1
  access-group inside_acl in interface Inside1
  access-group outside_acl in interface Outside2
  access-group inside_acl in interface Inside2
  Also make sure that you amend the VLANs on the switch to correspond to the VLANs on the Transparent ASA.
  Please remember to rate and select a correct answer

• LRT224 Support for multiple subnets

  I am considering purchasing an LRT224, but need help with one thing.
  The network I manage has about 200 devices currently, with mixed brands and types of switches, access points, etc, scattered about. It is a small school that has had many different people running IT at it, some not so good, others better. Now I manage it.
  We would like to add more devices, but currently we are limited to 254 devices. In the LRT224 manual, it -looks- like you can manually specify the subnet mask, and DHCP server range. For example, could I change the subnet mask to 255.255.252.0, or a /22 subnet, and then specify the DHCP range to be, for example only, 192.168.1.2 through 192.168.4.254, for 1024 total addresses? I want to do this without using VLANs, because I'm unsure if any of out switches support VLAN tagging, and I have zero experience with VLANs.
  Please let me know, thanks!
  Solved!
  Go to Solution.

  For site-to-site IPsec VPN tunnels, LRT224 supports subnet masks larger than 255.255.255.0. However the local subnets on the LAN side of LRT224 are limited to a class C subnet per VLAN.

• Creating NAT for multiple subnets

  Hello I want to create a 1 NAT for 5 sub networks on a windows 2008 machine the sub networks are; 192.168.224.0/27 192.168.224.32/27 192.168.224.64/27 192.168.224.96/27 192.168.224.128/27 I intend to have a server on the 192.168.224.0/27 sub network. After
  installing 2 network cards on the server, 1 for the private addressing scheme and 1 for the external network address and installing RRAS I am wondering how nodes on the other sub networks will find their way out to the external network, will RRAS take care
  of that? or is it not possible to have only 1 NAT for several sub networks?

    It is possible, but I would think that you would need six NICs in the server - one for the public connection and one for each private subnet.
    It sounds as if you want to implement VLANs. If you do, RRAS does not so that.
  Bill

• Cisco ASA 5512 Transparent mode

                     Hi all - hope this is the right place to ask this question-
  I'm having trouble understanding how to configure an ASA 5512X in what should be a really easy way -
  I simply want the ASA to be a transparent Layer 2 "bump" in a routed link between two networks, and then I'll use the Management interface to actually see the firewall ASDM,Syslog, configure, etc.
  I have the interfaces set up thusly:
  interface GigabitEthernet0/0
  nameif UnTrustedNetwork
  security-level 0
  interface GigabitEthernet0/1
  nameif TrustedNetwork
  security-level 100
  interface Management0/0
  nameif ManagementAccess
  security-level 100
  ip address 192.168.X.Y 255.255.255.0
  management-only
  I cannot figure out how to install a default route so that interface Management0/0 with it's IP of 192.168.X.Y can be reached from
  other networks, like 10.6.X.Y, etc.
  I thought the point of a Management interface was that you could set things up in such a way that the Management interface
  was the only way you could access the firewall, and you did not have to have IP addresses on the Gig interfaces,
  (at least not in transparent mode, for NAT you obviously would have to)
  I tried to add a static route entry to 10.6.X.Y , but
  when I typed "route.." my only available destination interfaces were either TrustedNetwork or UnTrustedNetwork ??
  How do I configure the Management interface for non-local subnets to be reachable on the firewall in transparent mode?

  transparent firewall is configured differently from routed mode.
  here's a basic config required:
  firewall transparent               (erases the current config; does not require a reboot)
  interface BVI1
  ip address 192.168.10.10 255.255.255.0
  interface GigabitEthernet0
  nameif outside
  bridge-group 1
  security-level 0
  interface GigabitEthernet1
  nameif inside
  bridge-group 1
  security-level 100
  route outside 0.0.0.0 0.0.0.0 192.168.10.254
  route inside 10.0.0.0 255.0.0.0 192.168.10.100
  I think that you need a BVI interface with an IP address before the ASA starts forwarding traffic
  The old syntax (pre 8.3 or 8.2 not sure) forces only 2 interfaces and no BVI was configured... the IP was assigned in global config.
  Hope that helps,
  Patrick

• RV320 with NAT source from multiple subnets

  Hello,
  I want to buy a router that will do NAT for multiple subnets, such as in the following configuration from Cisco IOS:
  interface FastEthernet0/0
   ip address 172.16.1.1/12
   ip nat inside
  interface FastEthernet0/1
   ip address a.b.c.d/29
   ip nat outside
  ip nat pool dsl-pool a.b.c.e a.b.c.f prefix-length 29
  ip nat inside source list 20 pool dsl-pool overload
  access-list 20 permit 172.16.1.64 0.0.0.63
  access-list 20 permit 172.16.21.0 0.0.0.255
  It is possible on Cisco RV320 device?
  Regars.
  Krzysztof

  Hi,
  This should be no problem. It should work as you have thought.
  I tested the configurations on my own ASA
  object-group network REGIONAL-SOURCE
  network-object 10.1.1.0 255.255.255.0
  network-object 10.1.2.0 255.255.255.0
  network-object 10.1.3.0 255.255.255.0
  object-group network REGIONAL-NAT
  network-object 10.1.201.0 255.255.255.0
  network-object 10.1.202.0 255.255.255.0
  network-object 10.1.203.0 255.255.255.0
  nat (LAN,WAN) source static REGIONAL-SOURCE REGIONAL-NAT
  Here at the results of the "packet-tracer" to show the translations
  ASA(config)# packet-tracer input LAN tcp 10.1.1.100 12345 7.7.7.7 80
  Phase: 4
  Type: NAT
  Subtype:
  Result: ALLOW
  Config:
  nat (LAN,WAN) source static REGIONAL-SOURCE REGIONAL-NAT
  Additional Information:
  Static translate 10.1.1.100/12345 to 10.1.201.100/12345
  ASA(config)# packet-tracer input LAN tcp 10.1.2.100 12345 7.7.7.7 80
  Phase: 4
  Type: NAT
  Subtype:
  Result: ALLOW
  Config:
  nat (LAN,WAN) source static REGIONAL-SOURCE REGIONAL-NAT
  Additional Information:
  Static translate 10.1.2.100/12345 to 10.1.202.100/12345
  ASA(config)# packet-tracer input LAN tcp 10.1.3.100 12345 7.7.7.7 80
  Phase: 4
  Type: NAT
  Subtype:
  Result: ALLOW
  Config:
  nat (LAN,WAN) source static REGIONAL-SOURCE REGIONAL-NAT
  Additional Information:
  Static translate 10.1.3.100/12345 to 10.1.203.100/12345
  As you can see, everything is fine
  Naturally take into consideration the fact that if you were to (for some reason) remove a "network-object" statement from some "object-group" then the operation of the "nat" would change even if you entered the removed "network-object" back. (unless you removed the last "network-object" inside the "object-group") This is because the order of the "network-object" inside the "object-group" would change. You would essentially have to recreate the "object-group" and "nat" configuration.
  Hope this helps
  Please do remember to mark a reply as the correct answer if it answered your question.
  Feel free to ask more if needed
  - Jouni

• Cisco 2960S Configured in Transparent mode

  I have a Cisco 2960S gig switch configured in transparent mode with multiple vlans configured. I have printers that I can ping, the ports shows up but on the printer it says offline. Any idea what could be causing this?

  If your printer and your PCs are all in the same subnet and only the printer is not working then VTP mode Transparent has nothing to do with your issue. 
  I'd be keen to know if you have a firewall blocking anything from the IP address of the printer?  Maybe the IP subnet mask or default gateway of the printer is not working?  
  What do you get when you do a "sh mac-address interface <PRINTER port>"?