ASA transparent mode vlan question
Hi i was going through ASA 5505 doco and i found the follwoing
In transparent firewall mode, you can configure two active VLANs in the Base license and three active
VLANs in the Security Plus license, one of which must be for failover.
So if i want to trunk 3 vlans can i do it or not it says that on eof them should be used for failover what does that mean i thought that we can use a failover using a IP address on interface???
my scenario is that my two ASA 5505 firewalls will be connected to two 3750 switches and i need 3 vlans to come to my outside ASA interface.
As per:
http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/97853-Transparent-firewall.html#backinfo
Only two interface can be used for data, and a 3rd one for failover.
Regards,
Felipe.
Remember to rate useful posts.
Similar Messages
-
Cisco ASA 55XX Transparent mode VLAN traversing
Hello Cisco Forum Team!
In a scenario where the Cisco ASA is in Transparent mode, is it possible to transmit L2 traffic from other VLANs different than the native VLAN the management IP of the firewall resides?
The switches on the outside and inside interfaces of the ASA are in trunk mode and I am trying to pass L2 VLAN ttraffic from inside to outside and vice-versa using filters on the switches (switchport trunk allowed vlan).
Thanks in advanced for your support and comments!Yes it is possible but you will be limited to 8 VLANs, or more accurately, 8 BVI interfaces so this is not a scalable solution. The catch is that you will need to have different VLANs for the same subnet at either end of the ASA.
To clarify this, lets say you are using interface Gig0/1 and Gig0/2. On Gig0/1 you would have configured subinterfaces with VLANs 2, 3, and 4. Now if you try to configure these same VLANs on Gig0/2 you will get an error saying something like this VLAN is already configured on another interface...I don't remember the exact error.
So to get this working you would need to configure Gig0/2 with subinterfaces for VLANs...lets say...5, 6, and 7. you would then associate VLANs 2 and 5 with BVI 1, VLANs 3 and 6 with BVI 2, and VLANs 4 and 7 with BVI 3. Each BVI interface would have its own IP address for the subnet that is being bridged across the ASA.
Please remember to select a correct answer and rate helpful posts -
ASA transparent mode with secondary IP on the router
Hi
I have
Router --- ASA (Transparent)----Switch
and just wonder if it is possible to configure secondary IP on the router interface which is connected to ASA
so there is plenty of room in terms of LAN IP range.
Or to implement this, do I have change ASA to context mode and modify configuration on the ASA?
hope I do not have to change anything on the ASA.
ThanksASA in transparant mode work as L2 device
so what ever ips u use dosent matter
u dont need to change anything in the ASA while it is in transperant mod
but be careful of what is allowed to be passed through the firewall
u can control it by ACLs
the router and the switch u have will operat in L3 as thy connected directly or nothing between them from routing and layer three prespective
so they shoud be in the same subnet VLAN and so on
good lcuk
please, if helpful rate -
Hi Guys
On the ASA running the 8.4.4.1 code in transparent mode.
Can I create sub interfaces in different vlans and attach them to different BVI groups?
switch---trunk---ASA---Trunk---switch
Gig0/1.1 vlan 100 bridge-gr1 Gig0/2.1 vlan 101 bridge-gr1
Gig0/1.2 vlan 200 bridge-gr2 Gig0/2.2 vlan 201 bridge-gr2
Is this possible?
ThanksHi,
Yes you can do that. Please refer the below mentioned guide for better understanding.
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/interface_complete_transparent.html
Please do rate if the given information helps.
By
Karthik -
ASA Transparent Mode For Multiple Subnets
I am looking to replace a FortiGate firewall which is currently working in transparent mode handling mutiple subnets with ASA 5515. Currently, I am testing transparent mode configuration on ASA 5505, and it will not forward any traffic that is not in the same subnet as IP address assigned to BV interface.
For example, the following configuration works.
10.0.0.3/24 (computer) ---> 10.0.0.2/24 (firewall) ---> 10.0.0.1/24 (computer)
However, the following does not work
10.0.0.3/24 (computer) ---> 10.10.0.2/24 (firewall) ---> 10.0.0.1/24 (computer)
I thought that transparent mode is just a bump in the wire, so why does the IP address/subnet assigned to BV interface affects the traffic? Is the ASA capable of handling other/multiple subnets in transparent mode other than the subnet assigned to BV interface?
By the way, I used to run PIX 515E 7.2(2) transparent mode filtering multiple subnets. The current ASA 5505 is on 9.0(1). Is it the limitation on the ASA 5505 model but not on the more powerful ASA model?
Thank youThank you @ttemirgaliyev, I tried but multiple context is not supported by ASA 5505.
I have an example of PIX configuration in transparent mode filtering multiple subnets. I was using this configuration in production environment in the past. I am wondering if ASA 5510 or higher can handle this setup.
: Saved
: Written by enable_15 at 10:57:25.766 UTC Wed Jul 16 xxxx
PIX Version 7.2(2)
firewall transparent
hostname pixfirewall
enable password xxxxxxxxxx encrypted
names
interface Ethernet0
nameif outside
security-level 0
interface Ethernet0.1
vlan 1
no nameif
no security-level
interface Ethernet1
nameif inside
security-level 100
interface Ethernet1.1
no vlan
no nameif
no security-level
passwd xxxxxxxxxx encrypted
ftp mode passive
access-list outside extended permit udp any host 10.0.0.210
access-list outside extended permit udp any host 10.0.0.3
access-list outside extended permit tcp any host 10.0.0.110 eq smtp
access-list outside extended permit tcp any host 10.0.0.110 eq www
access-list outside extended permit tcp any host 10.0.0.57 eq smtp
access-list outside extended permit tcp any host 10.0.0.57 eq www
access-list outside extended permit tcp any host 10.0.0.75 eq www
access-list outside extended permit tcp any host 10.0.0.75 eq ftp
access-list outside extended permit tcp any host 10.0.0.75 eq 5003
access-list outside extended permit tcp any host 10.0.0.75 eq 403
access-list outside extended permit tcp any host 10.0.0.75 eq 407
access-list outside extended permit tcp any host 10.0.0.76 eq ftp
access-list outside extended permit tcp any host 10.0.0.2 eq pcanywhere-data
access-list outside extended permit udp any host 10.0.0.2 eq pcanywhere-status
access-list outside extended permit tcp any host 10.0.10.61
access-list outside extended permit tcp any host 10.0.10.62
access-list outside extended permit tcp any host 10.0.10.63
access-list outside extended permit tcp any host 10.0.10.64
access-list outside extended permit tcp any host 10.0.13.225 eq ftp
access-list outside extended permit tcp host 192.168.4.30 host 10.0.17.254 eq telnet
access-list outside extended permit tcp any host 10.0.13.225 eq telnet
access-list outside extended permit tcp any host 10.0.10.61 eq 50
access-list outside extended permit udp any host 10.0.10.61 eq isakmp
access-list outside extended permit tcp any host 10.0.10.62 eq 50
access-list outside extended permit udp any host 10.0.10.62 eq isakmp
access-list outside extended permit tcp any host 10.0.10.63 eq 50
access-list outside extended permit udp any host 10.0.10.63 eq isakmp
access-list outside extended permit tcp any host 10.0.10.64 eq 50
access-list outside extended permit udp any host 10.0.10.64 eq isakmp
access-list outside extended permit tcp any host 10.0.0.219
access-list outside extended permit udp any host 10.0.0.219
access-list outside extended permit udp any host 10.0.10.61
access-list outside extended permit udp any host 10.0.10.62
access-list outside extended permit udp any host 10.0.10.63
access-list outside extended permit udp any host 10.0.10.64
access-list outside extended permit icmp any host 10.0.10.29
access-list outside extended permit tcp any host 10.0.10.29 eq ftp
access-list outside extended permit tcp any gt 1023 host 10.0.10.29 eq ftp-data
access-list outside extended permit tcp any host 10.0.0.110 eq pop3
access-list outside extended permit tcp any host 10.0.0.57 eq pop3
access-list outside extended permit tcp any host 10.0.10.27 eq pcanywhere-data
access-list outside extended permit udp any host 10.0.10.27 eq pcanywhere-status
access-list outside extended permit tcp any host 10.0.10.31 eq pcanywhere-data
access-list outside extended permit udp any host 10.0.10.31 eq pcanywhere-status
access-list outside extended permit tcp any host 10.0.0.222 eq pcanywhere-data
access-list outside extended permit udp any host 10.0.0.222 eq pcanywhere-status
access-list outside extended permit icmp any host 10.0.10.28
access-list outside extended permit tcp any host 10.0.10.28 eq pptp
access-list outside extended permit gre any host 10.0.10.28
access-list outside extended permit ip any host 10.0.10.28
access-list outside extended permit ip any host 10.0.10.29
access-list outside extended permit tcp any host 10.0.10.25 eq 8234
access-list outside extended permit tcp any host 10.0.17.217 eq 8234
access-list outside extended permit tcp any host 10.0.17.217 eq 8235
access-list outside extended permit tcp any host 10.0.17.217 eq www
access-list outside extended permit ip any host 10.0.10.36
access-list outside extended permit ip any host 10.0.10.37
access-list outside extended permit ip any host 10.0.10.38
access-list outside extended permit ip any host 10.0.10.39
access-list outside extended permit ip any host 10.0.10.40
access-list outside extended permit ip any host 10.0.10.41
access-list outside extended permit tcp any host 10.0.0.235 eq www
access-list outside extended permit tcp any host 10.0.10.2 eq www
access-list outside extended permit tcp any host 10.0.10.2 eq 3389
access-list outside extended permit tcp host 192.168.1.234 host 10.0.0.211 eq 4899
access-list outside extended permit tcp any host 10.0.0.211 eq www
access-list outside extended permit tcp any host 10.0.10.35 eq www
access-list outside extended permit tcp any host 10.0.10.36 eq www
access-list outside extended permit tcp any host 10.0.10.37 eq www
access-list outside extended permit tcp any host 10.0.10.38 eq www
access-list outside extended permit tcp any host 10.0.10.39 eq www
access-list outside extended permit tcp any host 10.0.10.40 eq www
access-list outside extended permit tcp any host 10.0.10.41 eq www
access-list outside extended permit tcp any host 10.0.0.110 eq https
access-list outside extended permit tcp any host 10.0.0.57 eq https
access-list outside extended permit tcp any host 10.0.0.75 eq https
access-list outside extended permit tcp any host 10.0.17.217 eq https
access-list outside extended permit tcp any host 10.0.0.234 eq 220
access-list outside extended permit tcp any host 10.0.0.235 eq https
access-list outside extended permit tcp any host 10.0.10.2 eq https
access-list outside extended permit tcp any host 10.0.0.211 eq https
access-list outside extended permit tcp any host 10.0.10.35 eq https
access-list outside extended permit tcp any host 10.0.10.36 eq https
access-list outside extended permit tcp any host 10.0.10.37 eq https
access-list outside extended permit tcp any host 10.0.10.38 eq https
access-list outside extended permit tcp any host 10.0.10.39 eq https
access-list outside extended permit tcp any host 10.0.10.40 eq https
access-list outside extended permit tcp any host 10.0.10.41 eq https
access-list outside extended permit tcp any host 10.0.10.35 eq 8234
access-list outside extended permit tcp any host 10.0.10.36 eq 8234
access-list outside extended permit tcp any host 10.0.10.37 eq 8234
access-list outside extended permit tcp any host 10.0.10.38 eq 8234
access-list outside extended permit tcp any host 10.0.10.39 eq 8234
access-list outside extended permit tcp any host 10.0.10.40 eq 8234
access-list outside extended permit tcp any host 10.0.10.41 eq 8234
access-list outside extended permit tcp any host 10.0.10.35 eq 8235
access-list outside extended permit tcp any host 10.0.10.36 eq 8235
access-list outside extended permit tcp any host 10.0.10.37 eq 8235
access-list outside extended permit tcp any host 10.0.10.38 eq 8235
access-list outside extended permit tcp any host 10.0.10.39 eq 8235
access-list outside extended permit tcp any host 10.0.10.40 eq 8235
access-list outside extended permit tcp any host 10.0.10.41 eq 8235
access-list outside extended permit udp any host 10.0.0.222
access-list outside extended permit gre any any
access-list outside extended permit ip host 10.0.10.28 any
access-list outside extended permit ip host 10.0.0.211 any
access-list outside extended permit ip host 10.0.10.35 any
access-list outside extended permit ip host 10.0.10.36 any
access-list outside extended permit ip host 10.0.10.37 any
access-list outside extended permit ip host 10.0.10.38 any
access-list outside extended permit ip host 10.0.10.39 any
access-list outside extended permit ip host 10.0.10.40 any
access-list outside extended permit ip host 10.0.10.41 any
access-list outside extended permit ip host 10.0.0.222 any
access-list outside extended permit ip host 10.0.0.234 any
access-list outside extended permit icmp host 10.0.0.234 any
access-list outside extended permit tcp any host 10.0.0.235 eq 3389
access-list outside extended permit ip host 10.0.0.254 any
access-list outside extended permit tcp any host 10.0.0.2 eq 3389
access-list outside extended permit tcp any host 10.0.13.240 eq 5900
access-list outside extended permit udp any host 10.0.13.240 eq 5900
access-list outside extended permit tcp any host 10.0.13.240 eq 3283
access-list outside extended permit udp any host 10.0.13.240 eq 3283
access-list outside extended permit tcp any host 10.0.13.240 eq ssh
access-list outside extended permit tcp any host 10.0.10.12 eq www
access-list outside extended permit tcp any host 10.0.0.212 eq www
pager lines 24
mtu outside 1500
mtu inside 1500
ip address 10.0.0.230 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 10.0.0.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
snmp-server host inside 10.0.0.234 community xxxx
no snmp-server location
no snmp-server contact
snmp-server community xxxx
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 0
prompt hostname context
Cryptochecksum:c887f562a196123a335c5ebeba0ad482
: end -
ASA Transparent mode multicast traffic in 8.2 and 8.4
Hi,
When i configure 8.2 in trasparent mode and deploy the a network that was wrok on EIGRP after that i found the neighborship was stop when i allow the mutlicast address and prtocol on outside interface it was start the working But when i deploy an ASA with 8.4 IOS and then allow the multicast address and protocol both the interface (Inside and outside) after that it was start working.
So i want to know that what the reasion to allow multicast address and protocol on 8.4 IOS for both interface. I am not able to find any answer for this.Hi Mahesh,
By default ASA in transparent mode do not allow any packets not having a valid EtherType greater than or equal to 0x600. As per my knowledge this concept remain same for all versions of ASA. Most control plane protocols are denied.
ASA in transparent mode only allows ARP, broadcast traffic, TCP and UDP inspected unicast traffic.
For EIGRP to work through transparent firewall, we need to open ACLs in both direction for multicast and unicast both type of EIGRP traffic on all versions of ASA Firewall. -
ASA Transparent Mode & Routing
Since ASA in transparent mode acts like a cable, do I need to have the routes on the firewall except for the management?
You need to put routes only for the traffic originating from the firewall.
-
ASA Transparent Mode - Stateful Inspection
Hi Community,
I would appreciate any input other may be able to provide on the behaviour of ASA when in Transparent mode.
I have a few scenarios and am looking to confirm stateful inspection behaviour for.
By default I shall block all traffic.
1 - Flow initiated Inside to outside (Higher to Lower security interface)
- Rule on inside
2 - Flow Initiated Outside to Inside (Lower to Higher security interface)
- Rule on Outside
- Appears to require rule on inside to allow response - No Stateful inspection
3 - Flow initiated Inside to Outside - With Application inspection (Higher to Lower)
- Rule on inside + App inspection
4 - Flow initiated Outside to Inside - With Application Inspection (Lower to Higher)
- Rule on outside + App Inspection
- Appears to require rule on inside to allow response - No Stateful Inspection
The references guide could do with some clarification around transparent behaviour.
Many thanksHello,
For flow innitiated on the inside to the outside you do not need an acl on the outside for the returning traffic, that is the main idea of the stateful inspection.
As soon as you do not have any ACLs applied to the inside interface this will be like this:
1 - Flow initiated Inside to outside (Higher to Lower security interface)
2 - Flow Initiated Outside to Inside (Lower to Higher security interface)
- Rule on Outside
- Appears to require rule on inside to allow response - No Stateful inspection
3 - Flow initiated Inside to Outside - With Application inspection (Higher to Lower)
App inspection
4 - Flow initiated Outside to Inside - With Application Inspection (Lower to Higher)
- Rule on outside + App Inspection
Regards, -
ASA Transparent Mode Deployment Issue
Could you please be more specific as to what does not work. How are you testing, from which IP to which IP is not working? Are you able to ping the switch from the ASA Firewall (not the transparent firewall)?
Please remember to rate and select a correct answerOk after a little research I think I have found a solution for you ( I am leaving out the policy map configs):
firewall transparent
hostname ASA-IPS
interface GigabitEthernet0/0.20
vlan 20
nameif Outside2
bridge-group 2
security-level 0
interface GigabitEthernet0/0.10
vlan 10
nameif Outside1
bridge-group 1
security-level 0
interface GigabitEthernet0/1.22
vlan 22
nameif Inside2
bridge-group 2
security-level 100
interface GigabitEthernet0/1.11
vlan 11
nameif Inside1
bridge-group 1
security-level 100
interface BVI1
ip address 10.10.10.10 255.255.255.0
interface BVI2
ip address 10.10.20.10 255.255.255.0
access-list inside_acl extended permit ip any any
access-list outside_acl extended permit ip any any
access-group outside_acl in interface Outside1
access-group inside_acl in interface Inside1
access-group outside_acl in interface Outside2
access-group inside_acl in interface Inside2
Also make sure that you amend the VLANs on the switch to correspond to the VLANs on the Transparent ASA.
Please remember to rate and select a correct answer -
ASA 8.4 transparent mode active/active questions
Hi, currently i'm trying to create network design which uses two 5585-X in transparent mode with active/active load balancing (with states), but i have some questions:
1. Do i need to configure asr-groups in transparent mode? What will happen if my packet (or now more accurately frame) will return to the standby context of one device, while the initial packet passed through active context on the another device (contexts are in the same group but on different physical devices)?
2. In 8.4 we received new feature called BVI interfaces. How this feature integrates with failover functionality? Can we now use multiple BVI bridge groups for multiple vlans (instead of bridging a single pair of vlans in single context)?
3. When implementing active/active load balancing with BVIs do we still need to use multiple context mode?
Thanks for your repliesHello,
1. Do i need to configure asr-groups in transparent mode? What will happen if my packet (or now more accurately frame) will return to the standby context of one device, while the initial packet passed through active context on the another device (contexts are in the same group but on different physical devices)?
You only need to configure ASR groups if your routing environment would match the scenario you outlined (a return packet arrives at the unit running the Standby context).
2. In 8.4 we received new feature called BVI interfaces. How this feature integrates with failover functionality? Can we now use multiple BVI bridge groups for multiple vlans (instead of bridging a single pair of vlans in single context)?
You can configure up to 8 bridge groups per context to achieve this.
3. When implementing active/active load balancing with BVIs do we still need to use multiple context mode?
Active/Active failover is only possible in multiple context mode.
Hope that helps.
-Mike -
ASA in transparent mode and IP addresses
Hello,
I need to put an ASA in transparent mode.
Our router (managed by the carrier) routes more than one public IP class in a single VLAN.
On the "Cisco Security Appliance Command Line Configuration guide", in "Trasnaprent Firewall Guidelines" it's written: "Each directly connected network must be on the same network".
This means also that I can have ONLY ONE subnet that flows fron the outside and the inside, or can I have more than one class?
If I can have only one class, the only solution is to use multiple context (and separate each classes in different interfaces)?
Thanks a lotThe ASA in trasparent mode works at layer 2. So it really does not care if the traffic that flows through it is from different subnet as long as the L3 devices it connects to knows how to reach these subnet. TheASA in transparent is basically a bump in the wire (a bridge) and for that reason you can only use 2 interfaces on the ASA in transparent implementation.
P.S. When people see attitude in your threads, they will refrain from answering your question. That's for future reference. -
ASA 55xx in transparent mode - switch ARP table?
Guys,
It's a basic question about how transparent mode firewalls communicate with the connecting switches.
My understanding is that if I separate the LAN eg. 10.1.1.x with a transparent firewall than it will only "snoop" the traffic and will not change anything in the Ethernet header.
Is it correct or still will replace the MAC address with the firewall physical interface address to send the frame to the connecting switch?
e.g.
client--------->switch------->transparent 5510-------->switch---------->server
10.1.1.1 10.1.1.100
When the client sends the ARP to look up the hardware address of the server then what will that received back?
The MAC address of the transparent ASA, or the server?
Thank you!Source MAC address is never changed if the traffic is passing through same IP subnet (vlan). Here the firewall is in transparent mode and if it alter the source mac address communication will not happen. This is a very fundamental network concept. However it may recreate the same frame with same souce/destination mac addresses.
-
Cisco ASA 5512 Transparent mode
Hi all - hope this is the right place to ask this question-
I'm having trouble understanding how to configure an ASA 5512X in what should be a really easy way -
I simply want the ASA to be a transparent Layer 2 "bump" in a routed link between two networks, and then I'll use the Management interface to actually see the firewall ASDM,Syslog, configure, etc.
I have the interfaces set up thusly:
interface GigabitEthernet0/0
nameif UnTrustedNetwork
security-level 0
interface GigabitEthernet0/1
nameif TrustedNetwork
security-level 100
interface Management0/0
nameif ManagementAccess
security-level 100
ip address 192.168.X.Y 255.255.255.0
management-only
I cannot figure out how to install a default route so that interface Management0/0 with it's IP of 192.168.X.Y can be reached from
other networks, like 10.6.X.Y, etc.
I thought the point of a Management interface was that you could set things up in such a way that the Management interface
was the only way you could access the firewall, and you did not have to have IP addresses on the Gig interfaces,
(at least not in transparent mode, for NAT you obviously would have to)
I tried to add a static route entry to 10.6.X.Y , but
when I typed "route.." my only available destination interfaces were either TrustedNetwork or UnTrustedNetwork ??
How do I configure the Management interface for non-local subnets to be reachable on the firewall in transparent mode?transparent firewall is configured differently from routed mode.
here's a basic config required:
firewall transparent (erases the current config; does not require a reboot)
interface BVI1
ip address 192.168.10.10 255.255.255.0
interface GigabitEthernet0
nameif outside
bridge-group 1
security-level 0
interface GigabitEthernet1
nameif inside
bridge-group 1
security-level 100
route outside 0.0.0.0 0.0.0.0 192.168.10.254
route inside 10.0.0.0 255.0.0.0 192.168.10.100
I think that you need a BVI interface with an IP address before the ASA starts forwarding traffic
The old syntax (pre 8.3 or 8.2 not sure) forces only 2 interfaces and no BVI was configured... the IP was assigned in global config.
Hope that helps,
Patrick -
Hi Guys,
I had to re-post this here because I did not get any comments earlier.. hopefully I'll get something here.. :)
I'm investigating the ways that I can use 2 x ASA (5525x) to accommodate Multi-tenancy situation with overlapping addresses. Unfortunately in this particular scenario we have to stick with 5525x firewalls.
The ASAs are going to be placed in north-south traffic path between 2 routers and these routers need to be configured with multiple VRFs to segregate the traffic for each tenant with overlapping IP subnets ( We are not looking at NAT as a workaround for the time being).
As we know, this ASA model won't support VRFs so we can't use the ASA as a intermediary routing hop and therefore this is not an option.. and using security contexts per VRF seems not scale-able enough (correct me if I'm wrong). So my thinking is that, if we put the ASAs in to the transparent mode and just use the ASAs as a layer 2 interconnect (configured with different VLANs connecting VRFs served by top and bottom routers) I should be able to go up to maximum of 50 VRFs (since 5525x only supports 200 VLANs).
I'm also planning to use the 2 ASAs in a cluster mode to aggregate the bandwidth of both ASAs for better throughput.
So I need to clarify following with you guys..
1) Can I actually do this or am I missing something.
2) Are there any limitations that I might run in to with this setup
3) Is there anyone out there who's doing the same thing or can you think of a better way to tackle this scenario (with same hardware and requirements)
4) Instead of using clustering, can I use simple Active/Stanby pare and still configure transparent mode and use it that way ?
Appreciate your input.
Thanks
ShamalThere is a limitation on how many context you can have, which depends on the license you have. This is quite possible with ASA multi routed mode and even with multi transparent mode. You can have overlapping ip in each context without the need of using nat as long as you have unique mac address for each sub interface.
Thanks -
Connectivity Issues Cisco ASA 5515 in Transparent Mode
Hi,
we´re having problems with one transparent mode setup at one customer site. The ASA is equiped with a CX Module, but we´re not using it, so far in the service policy rules it was enabled and matched all traffic, but in "monitor only" mode. There is a global acl that allows any-any-IP.
Firewall-Info:
- ASA Version 9.1(2)
- Interfaces gi0/0 + gi0/2 without any interface errors
The ASA 5515x is configured as a "bump in the wire". In general our setup is working but with beginning of the installation of the firewall the customer faces following connection issues, without the firewall no problems:
- Connections to SAP-Servers behind the MPLS begin to drop, affected all users
- Incoming monitoring sessions (ping/snmp) from central management are facing ping timeouts, connection timeouts
- http downloads are stopping, Customer: it will stop responding and the download will fail.
In general the customer describes it this way: "We do not have the best connection here so once we connected the firewall all the problems are magnified"
I recognized, that we unconfigured the default inspection during initial setup and reconfigured this entry for the cx module. So the the default inspection with all the settings are not present any more... How important are these settings? One phenomen is, that I´ve seen a large numbers of concurrent connections that increased over time. And we already had that situation, that the firewall reached the max-conn count.
Should I try to reconfigure the default inspection, as it ships from factory? And whats the best way to check for problems? What can be the reason for the dropping connections?
I attached a network plan and the firewall config, hopefully, that somebody has an idea. Of course I can provide additional information...
Best Regards
SebastianHi Vibhor,
thanks for your reply. Does this also affect the traffic, even the setting is set to "Monitor Only" ?
Is it recommend to configure the default-inspection rule as a default setting?
Further Question: I´ve read sth. about, that service policy rules must be "reloaded" to take effect, after they have been changed. Is that right and how do I reload them?
Here is an output from sh asp drop, do I have to care about certain values? This values result from two connected users doing some downloads over a 2Mbit connection.
ciscoasa# show asp drop
Frame drop:
Invalid encapsulation (invalid-encap) 10
First TCP packet not SYN (tcp-not-syn) 114
TCP failed 3 way handshake (tcp-3whs-failed) 3
TCP RST/FIN out of order (tcp-rstfin-ooo) 18
Dst MAC L2 Lookup Failed (dst-l2_lookup-fail) 33
L2 Src/Dst same LAN port (l2_same-lan-port) 260
FP L2 rule drop (l2_acl) 2958
Interface is down (interface-down) 9420
No management IP address configured for TFW (tfw-no-mgmt-ip-config) 117
Dropped pending packets in a closed socket (np-socket-closed) 66
Thanks
Sebastian
Maybe you are looking for
-
Ipad 1 to Ipad 3. Best way to restore. the facts
Fastest way to restore from #ipad backup is still desktop as long as nothing else is running. Make sure as much cpu time is as free as can Best way to ensure cpu time free for back restore #ipad is to make sure close as many browser tabs as possible.
-
Installing Windows 7 Enterprise on a brand new PC
Hi, this is my first post here so please be gentle. First of all I would like to mention what a great forum and resource this website is for noobs like myself and I would immensely appreciate any help / advice. I recently applied for a Desktop Suppor
-
Km component portal runtime error
hi i am creating a simple km application to create a folder using km api when i run the application it is displaying runtime error in the portal any help on this here is the trace . [EXCEPTION] #1#com.sapportals.portal.prt.component.PortalComponent
-
XI System backup and restore for the JAVA Stack
Hello experts I am few queries regarding backup of XI System. 1- What is the procedure to backup the XI System on AIX OS? 2- Should I backup the J2EE Engine also with Jload and Java migration toolkit, when I backup the XI System? 3- If XI system cras
-
Trying to Install Itunes to a new Desktop Computer so I can Sync My Library back in. It goes into a Loop when I Enter Run. I have added itunes.com to Safe websites and that did n't work now I havw Turnedd OFF all Pop-up Blockers and it still will not