Cisco ASA 55XX Transparent mode VLAN traversing

Similar Messages

• Cisco ASA 5512 Transparent mode

                     Hi all - hope this is the right place to ask this question-
  I'm having trouble understanding how to configure an ASA 5512X in what should be a really easy way -
  I simply want the ASA to be a transparent Layer 2 "bump" in a routed link between two networks, and then I'll use the Management interface to actually see the firewall ASDM,Syslog, configure, etc.
  I have the interfaces set up thusly:
  interface GigabitEthernet0/0
  nameif UnTrustedNetwork
  security-level 0
  interface GigabitEthernet0/1
  nameif TrustedNetwork
  security-level 100
  interface Management0/0
  nameif ManagementAccess
  security-level 100
  ip address 192.168.X.Y 255.255.255.0
  management-only
  I cannot figure out how to install a default route so that interface Management0/0 with it's IP of 192.168.X.Y can be reached from
  other networks, like 10.6.X.Y, etc.
  I thought the point of a Management interface was that you could set things up in such a way that the Management interface
  was the only way you could access the firewall, and you did not have to have IP addresses on the Gig interfaces,
  (at least not in transparent mode, for NAT you obviously would have to)
  I tried to add a static route entry to 10.6.X.Y , but
  when I typed "route.." my only available destination interfaces were either TrustedNetwork or UnTrustedNetwork ??
  How do I configure the Management interface for non-local subnets to be reachable on the firewall in transparent mode?

  transparent firewall is configured differently from routed mode.
  here's a basic config required:
  firewall transparent               (erases the current config; does not require a reboot)
  interface BVI1
  ip address 192.168.10.10 255.255.255.0
  interface GigabitEthernet0
  nameif outside
  bridge-group 1
  security-level 0
  interface GigabitEthernet1
  nameif inside
  bridge-group 1
  security-level 100
  route outside 0.0.0.0 0.0.0.0 192.168.10.254
  route inside 10.0.0.0 255.0.0.0 192.168.10.100
  I think that you need a BVI interface with an IP address before the ASA starts forwarding traffic
  The old syntax (pre 8.3 or 8.2 not sure) forces only 2 interfaces and no BVI was configured... the IP was assigned in global config.
  Hope that helps,
  Patrick

• ASA in transparent mode and IP addresses

  Hello,
  I need to put an ASA in transparent mode.
  Our router (managed by the carrier) routes more than one public IP class in a single VLAN.
  On the "Cisco Security Appliance Command Line Configuration guide", in "Trasnaprent Firewall Guidelines" it's written: "Each directly connected network must be on the same network".
  This means also that I can have ONLY ONE subnet that flows fron the outside and the inside, or can I have more than one class?
  If I can have only one class, the only solution is to use multiple context (and separate each classes in different interfaces)?
  Thanks a lot

  The ASA in trasparent mode works at layer 2. So it really does not care if the traffic that flows through it is from different subnet as long as the L3 devices it connects to knows how to reach these subnet. TheASA in transparent is basically a bump in the wire (a bridge) and for that reason you can only use 2 interfaces on the ASA in transparent implementation.
  P.S. When people see attitude in your threads, they will refrain from answering your question. That's for future reference.

• ASA Routed/Transparent Mode - Advice

  Hi guys,
  I'm looking for some advice regarding the deployment of an ASA. I have two networks separated by a routed link (layer 3 switch to layer 3 switch). I would like to deploy an ASA between the two networks for increased security. I'm leaning toward transparent mode so I don't have to have an additional IP subnetwork configured, and because deployment seems a little 'easier'.
  I would welcome any feedback.
  Thanks.

  Hi,
  So there is 2 networks which are separated by a routed link between the L3 switches? Have you considered simply moving the LAN and Link networks IP address to a Routed Mode ASAs interfaces when inserting it between these networks or is there something on the L3 switch that prevents this?
  Naturally you can use the ASA in Transparent Mode also. I have not deployed Transparent ASAs as usually the Routed Mode has been required. Even firewalls installed to internal networks (like between factory automation and office networks) have always been in Routed mode.
  Looking at the ASA Configuration Guide the limitations set by the Transparent Mode are not something that would prevent us from using them instead of the current setups. I would imagine that the most important limitation in many setups has usually been the fact that the VPN is not supported in Transparent mode though I guess in your case that would not be a problem.
  The ASA Configuration Guide section on Transparent mode (guidelines/limitations) can be found here:
  http://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/general/asa-general-cli/intro-fw.html#pgfId-1501525
  - Jouni

• Using Clustered ASAs in Transparent mode to support VRF based Network ?

  Hi Guys,
  I'm investigating the ways that I can use 2 x ASA (5525x) to accommodate Multi-tenancy situation with overlapping addresses. Unfortunately in this particular scenario we have to stick with 5525x firewalls.
  The ASAs are going to be placed in north-south traffic path between 2 routers and these routers need to be configured with multiple VRFs to segregate the traffic for each tenant with overlapping IP subnets ( We are not looking at NAT as a workaround for the time being).
  As we know, this ASA model won't support VRFs so we can't use the ASA as a intermediary routing hop and therefore this is not an option.. and using security contexts per VRF seems not scale-able enough (correct me if I'm wrong). So my thinking is that, if we put the ASAs in to the transparent mode and just use the ASAs as a layer 2 interconnect (configured with different VLANs connecting VRFs served by top and bottom routers)  I should be able to go up to maximum of 50 VRFs (since 5525x only supports 200 VLANs).  
  I'm also planning to use the 2 ASAs in a cluster mode to aggregate the bandwidth of both ASAs for better throughput.
  So I need to clarify following with you guys.. 
  1) Can I actually do this or am I missing something.
  2) Are there any limitations that I might run in to with this setup
  3) Is there anyone out there who's doing the same thing or can you think of a better way to tackle this scenario (with same hardware and requirements)
  4) Instead of using clustering, can I use simple Active/Stanby pare and still configure transparent mode and use it that way ?
  Appreciate your input.
  Thanks
  Shamal 

  Is any expert out there who can answer my query ?. Much appreciated.

• Dynamic Routing Protocol Support in Cisco ASA Multiple Context Mode

                     Dear Experts,
  Wold like to know whether dynamic Routing Protocol Support in Cisco ASA Firewall Multiple Context Mode. If yes then please provide OS version and Hardware Model of Cisco ASA Firewall. Appreciate the quick response.  Thanks.

  Hi,
  Check out this document for the information
  http://www.cisco.com/en/US/docs/security/asa/roadmap/asa_new_features.html#wp93116
  Its lists the following for software level 9.0(1)
  Multiple   Context Mode Features
  Dynamic routing in Security   Contexts
  EIGRP and OSPFv2 dynamic   routing protocols are now supported in multiple context mode. OSPFv3, RIP, and multicast routing   are not supported.
  Seems to me you would need some 9.x version to support the above mentioned Dynamic Routing Protocols.
  I don't think its related to the hardware model of the ASA other than that it requires a model that supports Multiple Context Mode. To my understanding the only model that doesnt support that is ASA5505 of the whole ASA5500 and ASA5500-X series.
  Hope this helps
  - Jouni

• CISCO SWITCH IN TRANSPARENT MODE

  hello everyone,
                       i have a 2960 compact  switch. i wanted to know whether its possible to make this switch transparent. the requirement is that whenever the switch is connected to any lan, it should be able to access the lan without any configuration being made.

  No it is not at all dumb.
  Transparent mode means the switch does not learns vlans using VTP.
  it will just pass vlan tagged packets even for vlans it does not "know".
  but then again, where must the switch send it to?
  your options are
  - trunk port with all vlan allowed
  - access port with configured access vlan (but then the vlan must be known)
  As john allready pointed out most attached devices need connection to an access port
  or they must be able to process vlan tagged packets themself and be attached to a trunk port
  a partial solution is
  - configure one port as a vlan trunk (connected to another trunk port)
  - for every vlan configure a number of ports as access port
  if you have sufficient ports you may configure a number of ports in each of the vlans (you mentioned 12 ?)
  Your limitations are the vlans you configured and the number of access ports configured for each vlan.
  eg a 48 (+1 uplink) port switch with 4 ports in each vlan.

• ASA transparent mode vlan question

  Hi i was going through ASA 5505 doco and i found the follwoing
  In transparent firewall mode, you can configure two active VLANs in the Base license and three active
  VLANs in the Security Plus license, one of which must be for failover.
  So if i want to trunk 3 vlans can i do it or not it says that on eof them should be used for failover what does that mean i  thought that we can use a failover using a IP address on interface???
  my scenario is that my two ASA 5505 firewalls will be connected to two 3750 switches and i need 3 vlans to come to my outside ASA interface.

  As per:
  http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/97853-Transparent-firewall.html#backinfo
  Only two interface can be used for data, and a 3rd one for failover.
  Regards,
  Felipe.
  Remember to rate useful posts.

• CISCO ASA5510 Firewall transparent mode

  Hi,
  i have a ASA5510 in the office, that already configured 3 context, namely, admin, user, server.
  in the server context, the last running config was not saved, and there was a power trip last friday night. 1 of the sub interface was affected, and i need to recreate that interface.
  how do I do it?
  I am getting the below error, it only allow me to do changes those pre-defined interface.
  kul-fw-03/admin(config)# interface ethernet 0/2.111
                                                ^
  ERROR: % Invalid input detected at '^' marker.
  how to I create extra sub interface?
  PS: the current config is done by the network guy who left the company last month.:(
  please help.

  you would need to configure it from the System context, not the Admin context.
  If you are trying to add the sub interfaces for the server context, then go to the System context:
  config t
  interface ethernet 0/2.111
  exit
  context server
    allocate-interface ethernet0/2.111
  here is a sample configuration for your reference:
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808d2b63.shtml
  Hope that helps.

• ASA Transparent mode multicast traffic in 8.2 and 8.4

  Hi,
  When i configure 8.2 in trasparent mode and deploy the a network that was wrok on EIGRP after that i found the neighborship was stop when i allow the mutlicast address and prtocol on outside interface it was start the working But when i deploy an ASA with 8.4 IOS and then allow the multicast address and protocol both the interface (Inside and outside) after that it was start working.
  So i want to know that what the reasion to allow multicast address and protocol on 8.4 IOS for both interface. I am not able to find any answer for this.

  Hi Mahesh,
  By default ASA in transparent mode do not allow any packets not having a valid EtherType greater than or equal to 0x600. As per my knowledge this concept remain same for all versions of ASA. Most control plane protocols are denied.
  ASA in transparent mode only allows ARP, broadcast traffic, TCP and UDP inspected unicast traffic.
  For EIGRP to work through transparent firewall, we need to open ACLs in both direction for multicast and unicast both type of EIGRP traffic on all versions of ASA Firewall.

• ASA 5510 in Transparent Mode-Guidelines.

  Dear all,
  I need to convert routed mode to transparent mode on my ASA-5510 with inbuilt IPS.
  let me know which of the following features configured on my firewall will have issue if converted to transparent mode:
  1. static routes.
  2. object-groups.
  3. ACLS.
  4. URL-filter (Websense).
  5. IPS . ( i doubt this )
  6. have 3 data and 1 Mgmt interfaces.
  7. syslog.
  8. SNMP
  I'm sure point 5 and 6 will have issues, need to confirm.
  need to confirm this by EOD,
  ( 5 hours more).
  thanks in advance.
  Shukla.

  Does not participate in routing protocols but can still pass routing protocol traffic through it. You can define static routes for the traffic originated by the ASA.
  in transparante mode the devices dehind and infront of the firewall will be in the same ip subnet as the firewall will be a L2 device!!
  ACLs can be configured normally
  syslog as well
  obgect groups as well
  Address translation is inherent when a firewall is configured for routed mode. Beginning with
  ASA 8.0, address translation can be used in transparent mode as well
  Does not participate in multicast. However, it allows passing the multicast traffic through it using the ACLs.
  Does not support QoS.
  Inspects Layer 2 and higher packet headers
  as long as u can use
  policy-map global_policy
  then u can integrate with IPS if u mean AIP-ssm modul
  transparent also known as a Layer 2 firewall or a stealth firewall, because its
  interfaces have no IP addresses and cannot be detected or manipulated. Only a single
  management address can be configured on the firewall
  In transparent mode, a firewall can support only two interfaces-the inside and the outside. If
  your firewall supports more than two interfaces from a physical and licensing standpoint, you
  can assign the inside and outside to two interfaces arbitrarily. As soon as those interfaces are
  configured, the firewall does not permit a third interface to be configured.
  Some platforms also support a dedicated management interface, which can be used for all
  firewall management traffic. However, the management interface cannot be involved in
  accepting or inspecting user traffic
  Configure a management address:
  Firewall(config)# ip address ip_address subnet_mask
  The firewall can support only a single IP address for management purposes. The address is
  not bound to an interface, as in routed mode. Rather, it is assigned to the firewall itself,
  accessible from either of the bridged interfaces.
  The management address is used for all types of firewall management traffic, such as Telnet,
  SSH, HTTP, SNMP, Syslog, TFTP, FTP, and so on.
  A transparent firewall can also support multiple security contexts. In that case, interface IP
  addresses must be configured from the respective context. The system execution space uses
  the admin context interfaces and IP addresses for its management traffic
  You do not have to configure a static route for the subnet directly connected to the firewall
  interfaces. However, you should define one static route as a default route toward the outside
  public network
  i wish i covered all ur questions
  good luck
  if helpful Rate

• ASA Transparent Mode & Routing

  Since ASA in transparent mode acts like a cable, do I need to have the routes on the firewall except for the management?

  You need to put routes only for the traffic originating from the firewall.

• Asa 5505 transparent firewall issue

  hi i am having uc560 with voice and data vlan and i am having 3560 layer3 switch and my network is working fine the dhcp for voice and data both are running in uc560.
  now i  add asa 5505 between uc560 and switch in transparent mode means from uc560 to asa 5505 outside interface and from asa inside interface to switch,
  i conigured vlan1 -- inside and vlan 2 as outside in asa  5505
  in my uc 560 data is vlan 1 and my voice is vlan 100.
  when i connect my network with transparent mode firewall no dhcp amd no phones are working . but if i remove asa and i connect with uc560 to switch everything is fine.
  is there anyway to work multiple voice and data vlan in asa 5505 transparent mode.

  hi rojas,
  here is my problem,
  my internet and voice all connected in the uc 560 so wat i am doing i am connecting firewall outside to uc 560 trunk port and the from inside to my switch.
  when i connec to my switch it is giving message inconsistant vlan and it is port is blocked. and my phones are not working.
  my data vlan1 is 192.168.123.x
  and my voice vlan100 is  10.1.1.x
  and the firewall ip 192.168.123.3

• Cisco ASA 5505/Cisco 3750

  I have a Cisco 5505(base license) and a Cisco 3750(48 port). I want to be able to connect to the 3750 on different vlans(for home lab),but I'm no able to ping the "outside" IP of the ASA. I can ping the different vlans from the ASA once I created the routes from the ASA.
  3750 config:
  version 12.2
  no service pad
  service timestamps debug uptime
  service timestamps log uptime
  no service password-encryption
  hostname SwitchA
  no aaa new-model
  switch 1 provision ws-c3750-48p
  ip subnet-zero
  ip routing
  no file verify auto
  spanning-tree mode pvst
  spanning-tree extend system-id
  vlan internal allocation policy ascending
  interface FastEthernet1/0/1
  description Uplink to Cisco ASA 5505
  switchport access vlan 100
  switchport mode access
  spanning-tree portfast
  interface FastEthernet1/0/2
  no switchport
  no ip address
  interface FastEthernet1/0/3
  interface FastEthernet1/0/4
  interface FastEthernet1/0/5
  switchport access vlan 10
  interface FastEthernet1/0/6
  interface Vlan1
  no ip address
  interface Vlan2
  ip address 10.10.0.1 255.255.255.0
  interface Vlan3
  ip address 10.10.1.254 255.255.255.0
  interface Vlan10
  no ip address
  interface Vlan100
  description SW-to-ASA
  ip address 172.16.100.2 255.255.255.0
  interface Vlan172
  no ip address
  interface Vlan182
  no ip address
  interface Vlan192
  no ip address
  ip classless
  ip route 0.0.0.0 0.0.0.0 172.16.100.1
  ip http server
  ip http secure-server
  ASA Config:
  interface Vlan1
  shutdown
  no nameif
  no security-level
  no ip address
  interface Vlan10
  nameif users
  security-level 100
  ip address 172.16.10.254 255.255.255.0
  interface Vlan172
  no nameif
  security-level 100
  ip address 172.16.100.1 255.255.255.0
  interface Vlan192
  nameif OUTSIDE
  security-level 0
  ip address 192.168.1.1 255.255.255.0
  interface Ethernet0/0
  switchport access vlan 192
  interface Ethernet0/1
  description Trunk to Switch
  switchport access vlan 172
  Is this even doable?

  Hi,
  I believe you have the problem with your no-nat configurations..... you to exempt NAT for the traffic from 172.16.10.0 (Anyconnect VPN pool) to 192.168.1.0/24 (Inside LAN) to make this work
  object network acvpnpool
  subnet <anyconnect VPN Subnet>
  object network insidelan
  subnet <inside lan subnet>
  nat (inside,outside) source static acvpnpool acvpnpool destination static insidelan insidelan
  Make sure that you are able to reach the GW/Inside ip adress of the firewall from LAN machine.... all routing in place properly..... Thanks!!!
  Regards
  Karthik

• Transparent mode with AIP-SSM-20

  I currently have an ASA5510 in routed mode with an AIP-SSM-20.
  There is a requirement to use a fibre optic connection between this ASA and another ASA across campus, so the AIP-SSM will have to be removed and replaced with the SSM-4GE.  This part should present no issue.
  However, this will remove the IPS device, and I still want to use IPS.
  So, what I am thinking is to get another ASA5510, install the AIP-SSM, configure ASA for transparent mode and put it in between the inside of the routed ASA and my LAN.  The transparent ASA would be functioning strictly as an IPS appliance.
  Setup would look something like this:
  Internal LAN <> transparent ASA with IPS <> routed ASA <> WAN
  Can the AIP-SSM still perform IPS with the ASA in transparent mode?
  Is there a way to configure the ASA and AIP-SSM such that traffic to/from a particular server completely bypasses the AIP-SSM?
  I have a couple of fileservers that generate heavy traffic and could overload the AIP-SSM.
  Regards.

  AFAIR, There is no problem to setup AIP in a transparent firewall.
  "An ASA in transparent mode can run an AIP.  In the event the AIP fails,
  the IPS will fail-open and the ASA will continue to pass traffic.
  However, if an interface or cable fails, then traffic will stop.  You
  would need a failover pair to account for this failure event, which
  means another ASA and matching AIP."
  And no there is no problem to exclude certain hosts/ports/subnets from inspection by IPS via MPF.
  http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ips.html#wp1050744
  What I however consider however is if the ASAs 5510 as second tier firewall for 5520s will be enough.
  http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html
  HTH,
  Marcin