CISCO ASA5510 Firewall transparent mode

Similar Messages

• Firewall Transparent Mode with IPS

    Dear All,
  I have network setup shown below
  Router --- Firewall Transparent Mode --- cisco layer 3 switch
  I am planning to implement ips. Which is the right place to put the IPS
  IPS is separate hardware. Let me know on which mode IPS has to be enabled? Rgds - pramod

  Hello,
  If you have the separate hardware of IPS then, place the IPS in between Router and firewall.
  you can use the IPS in inline and promiscuous mode.
  In inline mode all traffic will pass through the IPS first then after inspection will move to firewall.
  And if you are using the IPS in promiscuous mode then the copy of traffic will send to the IPS and after that inspection will done.
  Thanks.

• ASDM in Firewall Transparent mode

  Greetings,
  I would like to configure an ASA5512-X in firewall transparent mode, but I am having trouble getting ASDM to lauch when I do.
  I have created a BVI interface with an IP address, and I hve enabled the mangement interface, but ASDM does not lauch when I enter the IP adress of the BVI I created.
  Apprently you need to use the bridge-group command to assign an interfce to a bridge group. When I enter this command at the (config-if) prompt for Management 0/0, this command is not recognized.
  What are the general steps for configuring the management interface to be able to launch ASDM in transparent mode?
  Thanks,
  -Ross Merrifield

  Hello Ross,
  The managment interface itself is only used for managment purposes ( it has it's own Ip address) So configured it differently from any other interfaces ( Assing an ip to that managment interface like you will do with a regular ASA interface ( not on bridged mode) )
  Regards,

• Cisco ASA 55XX Transparent mode VLAN traversing

  Hello Cisco Forum Team!
      In a scenario where the Cisco ASA is in Transparent mode, is it possible to transmit L2 traffic from other VLANs different than the native VLAN the management IP of the firewall resides?
  The switches on the outside and inside interfaces of the ASA are in trunk mode and I am trying to pass L2 VLAN ttraffic from inside to outside and vice-versa using filters on the switches (switchport trunk allowed vlan). 
  Thanks in advanced for your support and comments!

  Yes it is possible but you will be limited to 8 VLANs, or more accurately, 8 BVI interfaces so this is not a scalable solution.  The catch is that you will need to have different VLANs for the same subnet at either end of the ASA. 
  To clarify this, lets say you are using interface Gig0/1 and Gig0/2.  On Gig0/1 you would have configured subinterfaces with VLANs 2, 3, and 4.  Now if you try to configure these same VLANs on Gig0/2 you will get an error saying something like this VLAN is already configured on another interface...I don't remember the exact error. 
  So to get this working you would need to configure Gig0/2 with subinterfaces for VLANs...lets say...5, 6, and 7.  you would then associate VLANs 2 and 5 with BVI 1, VLANs 3 and 6 with BVI 2, and VLANs 4 and 7 with BVI 3.  Each BVI interface would have its own IP address for the subnet that is being bridged across the ASA.
  Please remember to select a correct answer and rate helpful posts

• Cisco ASA 5512 Transparent mode

                     Hi all - hope this is the right place to ask this question-
  I'm having trouble understanding how to configure an ASA 5512X in what should be a really easy way -
  I simply want the ASA to be a transparent Layer 2 "bump" in a routed link between two networks, and then I'll use the Management interface to actually see the firewall ASDM,Syslog, configure, etc.
  I have the interfaces set up thusly:
  interface GigabitEthernet0/0
  nameif UnTrustedNetwork
  security-level 0
  interface GigabitEthernet0/1
  nameif TrustedNetwork
  security-level 100
  interface Management0/0
  nameif ManagementAccess
  security-level 100
  ip address 192.168.X.Y 255.255.255.0
  management-only
  I cannot figure out how to install a default route so that interface Management0/0 with it's IP of 192.168.X.Y can be reached from
  other networks, like 10.6.X.Y, etc.
  I thought the point of a Management interface was that you could set things up in such a way that the Management interface
  was the only way you could access the firewall, and you did not have to have IP addresses on the Gig interfaces,
  (at least not in transparent mode, for NAT you obviously would have to)
  I tried to add a static route entry to 10.6.X.Y , but
  when I typed "route.." my only available destination interfaces were either TrustedNetwork or UnTrustedNetwork ??
  How do I configure the Management interface for non-local subnets to be reachable on the firewall in transparent mode?

  transparent firewall is configured differently from routed mode.
  here's a basic config required:
  firewall transparent               (erases the current config; does not require a reboot)
  interface BVI1
  ip address 192.168.10.10 255.255.255.0
  interface GigabitEthernet0
  nameif outside
  bridge-group 1
  security-level 0
  interface GigabitEthernet1
  nameif inside
  bridge-group 1
  security-level 100
  route outside 0.0.0.0 0.0.0.0 192.168.10.254
  route inside 10.0.0.0 255.0.0.0 192.168.10.100
  I think that you need a BVI interface with an IP address before the ASA starts forwarding traffic
  The old syntax (pre 8.3 or 8.2 not sure) forces only 2 interfaces and no BVI was configured... the IP was assigned in global config.
  Hope that helps,
  Patrick

• CISCO SWITCH IN TRANSPARENT MODE

  hello everyone,
                       i have a 2960 compact  switch. i wanted to know whether its possible to make this switch transparent. the requirement is that whenever the switch is connected to any lan, it should be able to access the lan without any configuration being made.

  No it is not at all dumb.
  Transparent mode means the switch does not learns vlans using VTP.
  it will just pass vlan tagged packets even for vlans it does not "know".
  but then again, where must the switch send it to?
  your options are
  - trunk port with all vlan allowed
  - access port with configured access vlan (but then the vlan must be known)
  As john allready pointed out most attached devices need connection to an access port
  or they must be able to process vlan tagged packets themself and be attached to a trunk port
  a partial solution is
  - configure one port as a vlan trunk (connected to another trunk port)
  - for every vlan configure a number of ports as access port
  if you have sufficient ports you may configure a number of ports in each of the vlans (you mentioned 12 ?)
  Your limitations are the vlans you configured and the number of access ports configured for each vlan.
  eg a 48 (+1 uplink) port switch with 4 ports in each vlan.

• ASA5510 - LACP in Transparent Mode

  Hello all,
  I understand that in transparent mode an ASA5510 would only be able to have two interfaces, inside and outside.
  My question is could one of those logical interfaces be an LACP'd interface, made up of two physical interfaces. Topology below.
  I understand that the router and ASA5510 are SPOF here, so it is a bit of a moot point, but we're connecting already existing infrastructures together!
  |-------–---|      |---------|        
  | Switch 1  |------|         |        
  |-----------|      | ASA5510 |         |----------|
       | |           | (transp |---------|  Router  |
  |-------–---|      |  mode)  |         |----------|
  | Switch 2  |------|         |        
  |-----------|      |---------|        

  Configuring Cisco ASA Service Appliance in Transparent Mode with vPCSince Release 8.4, Cisco ASA 5500 Series Adaptive Security Appliance solution supports Link Aggregation ControlProtocol (LACP). ASA port-channel contains up to eight active member ports.Supported LACP modes are: ACTIVE, PASSIVE, and ON (ON means manual ports bundling i.e not using dynamicport-channeling control protocol).ASA can be configured in transparent or routed mode. Both modes are supported when integrating ASA with CiscoNexus 7000 Series vPC.
  http://www.cisco.com/en/US/docs/switches/datacenter/sw/design/vpc_design/vpc_best_practices_design_guide.pdf
  Page 87-88

• Cisco 2960S Configured in Transparent mode

  I have a Cisco 2960S gig switch configured in transparent mode with multiple vlans configured. I have printers that I can ping, the ports shows up but on the printer it says offline. Any idea what could be causing this?

  If your printer and your PCs are all in the same subnet and only the printer is not working then VTP mode Transparent has nothing to do with your issue. 
  I'd be keen to know if you have a firewall blocking anything from the IP address of the printer?  Maybe the IP subnet mask or default gateway of the printer is not working?  
  What do you get when you do a "sh mac-address interface <PRINTER port>"?

• Connectivity Issues Cisco ASA 5515 in Transparent Mode

  Hi,
  we´re having problems with one transparent mode setup at one customer site. The ASA is equiped with a CX Module, but we´re not using it, so far in the service policy rules it was enabled and matched all traffic, but in "monitor only" mode. There is a global acl that allows any-any-IP.
  Firewall-Info:
  - ASA Version 9.1(2) 
  - Interfaces gi0/0 + gi0/2 without any interface errors
  The ASA 5515x is configured as a "bump in the wire". In general our setup is working but with beginning of the installation of the firewall the customer faces following connection issues, without the firewall no problems:
  - Connections to SAP-Servers behind the MPLS begin to drop, affected all users
  - Incoming monitoring sessions (ping/snmp) from central management are facing ping timeouts, connection timeouts
  - http downloads are stopping, Customer: it will stop responding and the download will fail.
  In general the customer describes it this way: "We do not have the best connection here so once we connected the firewall all the problems are magnified"
  I recognized, that we unconfigured the default inspection during initial setup and reconfigured this entry for the cx module. So the the default inspection with all the settings are not present any more... How important are these settings? One phenomen is, that I´ve seen a large numbers of concurrent connections that increased over time. And we already had that situation, that the firewall reached the max-conn count.
  Should I try to reconfigure the default inspection, as it ships from factory? And whats the best way to check for problems? What can be the reason for the dropping connections?
  I attached a network plan and the firewall config, hopefully, that somebody has an idea. Of course I can provide additional information...
  Best Regards
  Sebastian

  Hi Vibhor,
  thanks for your reply. Does this also affect the traffic, even the setting is set to "Monitor Only" ?
  Is it recommend to configure the default-inspection rule as a default setting? 
  Further Question: I´ve read sth. about, that service policy rules must be "reloaded" to take effect, after they have been changed. Is that right and how do I reload them?
  Here is an output from sh asp drop, do I have to care about certain values? This values result from two connected users doing some downloads over a 2Mbit connection.
  ciscoasa# show asp drop
  Frame drop:
    Invalid encapsulation (invalid-encap)                                       10
    First TCP packet not SYN (tcp-not-syn)                                     114
    TCP failed 3 way handshake (tcp-3whs-failed)                                 3
    TCP RST/FIN out of order (tcp-rstfin-ooo)                                   18
    Dst MAC L2 Lookup Failed (dst-l2_lookup-fail)                               33
    L2 Src/Dst same LAN port (l2_same-lan-port)                                260
    FP L2 rule drop (l2_acl)                                                  2958
    Interface is down (interface-down)                                        9420
    No management IP address configured for TFW (tfw-no-mgmt-ip-config)        117
    Dropped pending packets in a closed socket (np-socket-closed)               66
  Thanks
  Sebastian

• VRF issue with Firewall in transparent Mode.

  Hi Guys,
  I have 7609 Router and 6513 L3 Switch connected Through ASA 5545.
  I am running Multiple VRF between router and Switch and BGP routing Protocol. When they are connected directly to each other everything is normal, however, when I have connected them via ASA 5545 then everything fails. I am using ASA in transparent Mode.
  My question is: Do ASA require different setting in case of VRF? If yes, then please give me sample config.

  I have taken following output from Firewall will this be any help?
  sh interface ouTSIDE
  Interface GigabitEthernet0/1 "OUTSIDE", is up, line protocol is up
    Hardware is i82574L rev00, BW 1000 Mbps, DLY 10 usec
          Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
          Input flow control is unsupported, output flow control is off
          MAC address 7c69.f68f.df78, MTU 1500
          IP address 175.4.8.35, subnet mask 255.255.255.248
          8435 packets input, 680680 bytes, 0 no buffer
          Received 8135 broadcasts, 0 runts, 0 giants
          0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
          0 pause input, 0 resume input
          8138 L2 decode drops
          0 packets output, 0 bytes, 0 underruns
          0 pause output, 0 resume output
          0 output errors, 0 collisions, 1 interface resets
          0 late collisions, 0 deferred
          0 input reset drops, 0 output reset drops
          input queue (blocks free curr/low): hardware (476/461)
          output queue (blocks free curr/low): hardware (511/511)
    Traffic Statistics for "OUTSIDE":
          297 packets input, 118503 bytes
          0 packets output, 0 bytes
          297 packets dropped
        1 minute input rate 0 pkts/sec,  13 bytes/sec
        1 minute output rate 0 pkts/sec,  0 bytes/sec
        1 minute drop rate, 0 pkts/sec
        5 minute input rate 0 pkts/sec,  6 bytes/sec
        5 minute output rate 0 pkts/sec,  0 bytes/sec
        5 minute drop rate, 0 pkts/sec
  ciscoasa# show asp drop
  Frame drop:
    FP L2 rule drop (l2_acl)                                                   297
  ASA Version 9.0(1)
  firewall transparent
  ciscoasa# show module all
  Mod Card Type                                    Model              Serial No.
    0 ASA 5545-X with SW, 8 GE Data, 1 GE Mgmt     ASA5545           
  ips ASA 5545-X IPS Security Services Processor   ASA5545-IPS       
  Mod MAC Address Range                 Hw Version   Fw Version   Sw Version
    0 7c69.f68f.df77 to 7c69.f68f.df80  1.0          2.1(9)8      9.0(1)
  ips 7c69.f68f.df75 to 7c69.f68f.df75  N/A          N/A          7.1(4)E4
  Mod SSM Application Name           Status           SSM Application Version
  ips IPS                            Up               7.1(4)E4
  Mod Status             Data Plane Status     Compatibility
    0 Up Sys             Not Applicable
  ips Up                 Up
  Mod License Name   License Status  Time Remaining
  ips IPS Module     Enabled         perpetual
  ciscoasa#
  I have create Ehtertype ACL and permit any traffic.
  cdp traffic has passed through but I am still not able to ping :(

• Cisco WSA : Is it possible to use web proxy in transparent mode without WCCP router ?

  Hello !
  I would like to use Cisco WSA as a web proxy in a transparent way (without any configuration in client's web browsers) but i don't have a WCCP router. So, is it possible ? 
  If yes, how to do this ? 
  Thank you,
  Stephane Walker

  Hi Stephane
  The only alternative to WCCP is PBR (Policy Based Routing). With a simple configuration on the router you can redirect traffic defined as interesting by access list to WSA. On the WSA you need to configure transparent mode (Security Services -> Web Proxy -> Edit Settings -> Proxy Mode: Transparent). You also need to assure that proxy is listening on the port 80 and that HTTPS proxy is enabled (on port 443) if you want to redirect the HTTPS traffic as well. 
  Sample configuration for Cisco router
  access-list 110 permit tcp any any eq www
  route-map proxy-redirect permit 10
  match ip address 110
  set ip next-hop xxx.xxx.xxx.xxx
  interface ethernet0/1
  ip policy route-map proxy-redirect
  xxx.xxx.xxx.xxx is the proxy IP in such case and access-list 110 defines web traffic (HTTP TCP/80) as interesting.
  The biggest disadvantage of such solution is lack of failure detection. If the proxy will go down for some reason router will keep redirecting the traffic causing internet access outage.
  Routers other than Cisco equipment should also have an option to configure policy based routing.
  /Artur
  Ps. It's not possible to place the WSA in-line between clients and the internet.

• Transparent mode/firewall mode in a multiple context asa5520

  Hello,
  Is it possible to have a transparent mode on CONTEXT_A and firewall/route mode in CONTEXT_B in a single ASA
  5520?
  thanks.

  Is there any document to support this? I would be getting my hands on a ASA pretty soon hope to test this feature out.
  -Hoogen

• Transparent mode with AIP-SSM-20

  I currently have an ASA5510 in routed mode with an AIP-SSM-20.
  There is a requirement to use a fibre optic connection between this ASA and another ASA across campus, so the AIP-SSM will have to be removed and replaced with the SSM-4GE.  This part should present no issue.
  However, this will remove the IPS device, and I still want to use IPS.
  So, what I am thinking is to get another ASA5510, install the AIP-SSM, configure ASA for transparent mode and put it in between the inside of the routed ASA and my LAN.  The transparent ASA would be functioning strictly as an IPS appliance.
  Setup would look something like this:
  Internal LAN <> transparent ASA with IPS <> routed ASA <> WAN
  Can the AIP-SSM still perform IPS with the ASA in transparent mode?
  Is there a way to configure the ASA and AIP-SSM such that traffic to/from a particular server completely bypasses the AIP-SSM?
  I have a couple of fileservers that generate heavy traffic and could overload the AIP-SSM.
  Regards.

  AFAIR, There is no problem to setup AIP in a transparent firewall.
  "An ASA in transparent mode can run an AIP.  In the event the AIP fails,
  the IPS will fail-open and the ASA will continue to pass traffic.
  However, if an interface or cable fails, then traffic will stop.  You
  would need a failover pair to account for this failure event, which
  means another ASA and matching AIP."
  And no there is no problem to exclude certain hosts/ports/subnets from inspection by IPS via MPF.
  http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ips.html#wp1050744
  What I however consider however is if the ASAs 5510 as second tier firewall for 5520s will be enough.
  http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html
  HTH,
  Marcin

• Content Engine + Barracuda Spyware firewall (transparent/intercept proxies)

  Hello all.
  We are trying to get our WAE-511 content engine and our Barracuda Spyware Firewall 310 to work together.
  It seems they interfere with each other because they are both transparent (intercept?) proxies.
  What would need to be done/configured (preferably in the Cisco CE) to make the two devices work together?
  Would shifting the CE to non-transparent mode help?

  check out the following link, hope this helps :
  http://www.cisco.com/en/US/products/ps6469/products_user_guide_chapter09186a00804a16ab.html

• ASA in transparent mode and IP addresses

  Hello,
  I need to put an ASA in transparent mode.
  Our router (managed by the carrier) routes more than one public IP class in a single VLAN.
  On the "Cisco Security Appliance Command Line Configuration guide", in "Trasnaprent Firewall Guidelines" it's written: "Each directly connected network must be on the same network".
  This means also that I can have ONLY ONE subnet that flows fron the outside and the inside, or can I have more than one class?
  If I can have only one class, the only solution is to use multiple context (and separate each classes in different interfaces)?
  Thanks a lot

  The ASA in trasparent mode works at layer 2. So it really does not care if the traffic that flows through it is from different subnet as long as the L3 devices it connects to knows how to reach these subnet. TheASA in transparent is basically a bump in the wire (a bridge) and for that reason you can only use 2 interfaces on the ASA in transparent implementation.
  P.S. When people see attitude in your threads, they will refrain from answering your question. That's for future reference.