Firewall Transparent Mode with IPS
Dear All,
I have network setup shown below
Router --- Firewall Transparent Mode --- cisco layer 3 switch
I am planning to implement ips. Which is the right place to put the IPS
IPS is separate hardware. Let me know on which mode IPS has to be enabled? Rgds - pramod
Hello,
If you have the separate hardware of IPS then, place the IPS in between Router and firewall.
you can use the IPS in inline and promiscuous mode.
In inline mode all traffic will pass through the IPS first then after inspection will move to firewall.
And if you are using the IPS in promiscuous mode then the copy of traffic will send to the IPS and after that inspection will done.
Thanks.
Similar Messages
-
Transparent mode with AIP-SSM-20
I currently have an ASA5510 in routed mode with an AIP-SSM-20.
There is a requirement to use a fibre optic connection between this ASA and another ASA across campus, so the AIP-SSM will have to be removed and replaced with the SSM-4GE. This part should present no issue.
However, this will remove the IPS device, and I still want to use IPS.
So, what I am thinking is to get another ASA5510, install the AIP-SSM, configure ASA for transparent mode and put it in between the inside of the routed ASA and my LAN. The transparent ASA would be functioning strictly as an IPS appliance.
Setup would look something like this:
Internal LAN <> transparent ASA with IPS <> routed ASA <> WAN
Can the AIP-SSM still perform IPS with the ASA in transparent mode?
Is there a way to configure the ASA and AIP-SSM such that traffic to/from a particular server completely bypasses the AIP-SSM?
I have a couple of fileservers that generate heavy traffic and could overload the AIP-SSM.
Regards.AFAIR, There is no problem to setup AIP in a transparent firewall.
"An ASA in transparent mode can run an AIP. In the event the AIP fails,
the IPS will fail-open and the ASA will continue to pass traffic.
However, if an interface or cable fails, then traffic will stop. You
would need a failover pair to account for this failure event, which
means another ASA and matching AIP."
And no there is no problem to exclude certain hosts/ports/subnets from inspection by IPS via MPF.
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ips.html#wp1050744
What I however consider however is if the ASAs 5510 as second tier firewall for 5520s will be enough.
http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html
HTH,
Marcin -
ASDM in Firewall Transparent mode
Greetings,
I would like to configure an ASA5512-X in firewall transparent mode, but I am having trouble getting ASDM to lauch when I do.
I have created a BVI interface with an IP address, and I hve enabled the mangement interface, but ASDM does not lauch when I enter the IP adress of the BVI I created.
Apprently you need to use the bridge-group command to assign an interfce to a bridge group. When I enter this command at the (config-if) prompt for Management 0/0, this command is not recognized.
What are the general steps for configuring the management interface to be able to launch ASDM in transparent mode?
Thanks,
-Ross MerrifieldHello Ross,
The managment interface itself is only used for managment purposes ( it has it's own Ip address) So configured it differently from any other interfaces ( Assing an ip to that managment interface like you will do with a regular ASA interface ( not on bridged mode) )
Regards, -
ASA transparent mode with secondary IP on the router
Hi
I have
Router --- ASA (Transparent)----Switch
and just wonder if it is possible to configure secondary IP on the router interface which is connected to ASA
so there is plenty of room in terms of LAN IP range.
Or to implement this, do I have change ASA to context mode and modify configuration on the ASA?
hope I do not have to change anything on the ASA.
ThanksASA in transparant mode work as L2 device
so what ever ips u use dosent matter
u dont need to change anything in the ASA while it is in transperant mod
but be careful of what is allowed to be passed through the firewall
u can control it by ACLs
the router and the switch u have will operat in L3 as thy connected directly or nothing between them from routing and layer three prespective
so they shoud be in the same subnet VLAN and so on
good lcuk
please, if helpful rate -
Failure when FWSM in transparent mode with multiple contexts
hi experts,
We have two FWSMs working in active/standby state, configured with multiple contexts in transparent mode. and the "outside" and "inside" interfaces for each context are in same subnet.
Now we have one FWSM broken and the RMA part can't arrived in short time, so we have the risk that the sencond FWSM could be failed as well. In the worst case if the two was broken or powered off simultaneously, i wonder that if the communications between multiple contexts could be ok???
thanks in advance.The software requirements for Cisco Secure ACS are dependent on the type of Extensible Authentication Protocol (EAP) desired. For full support of all the EAP types including EAP-Flexible Authentication via Secure Tunneling (FAST), use release 3.2.3 or higher.
http://www.cisco.com/en/US/netsol/ns340/ns394/ns431/ns434/networking_solutions_implementation_guide09186a008038906c.html -
Hi all.
I config my content engine 7305 with configurations:
CE(config)# wccp version 2
CE(config)# wccp router-list 1 10.10.10.1
CE(config)# wccp web-cache router-list-num 1
And with router:
Router(config)# ip wccp web-cache
Router(config)# interface Serial0
Router(config-if)# ip wccp web-cache redirect out
Address Router: 10.10.10.1/24
Address CE: 10.10.10.2 /24
Client1 connect internet with url: http://www.vnexpress.net
Client2 connect the same URL many times.
But when I use: sho statistic http saving
The hit is a little.(1 hit)
The miss is alot. (49 miss)
So I don't understand the ContentEngine work perfect or not????
Help me, plz
ThanksYou should check to see if your CE and router see each other.
CE "show wccp routers" - you should see the ID of your router you have configured.
Router "show ip wccp web-cache view"
If that doesn't work you can turn on debug
"debug ip wccp packets" and see the request/response sequence
.Jun 16 17:46:26: WCCP-PKT:S00: Received valid Here_I_Am packet from 10.1.1.1 w/rcv_id 00000844
.Jun 16 17:46:26: WCCP-PKT:S00: Sending I_See_You packet to 10.1.1.1 w/ rcv_id 00000845 -
CISCO ASA5510 Firewall transparent mode
Hi,
i have a ASA5510 in the office, that already configured 3 context, namely, admin, user, server.
in the server context, the last running config was not saved, and there was a power trip last friday night. 1 of the sub interface was affected, and i need to recreate that interface.
how do I do it?
I am getting the below error, it only allow me to do changes those pre-defined interface.
kul-fw-03/admin(config)# interface ethernet 0/2.111
^
ERROR: % Invalid input detected at '^' marker.
how to I create extra sub interface?
PS: the current config is done by the network guy who left the company last month.:(
please help.you would need to configure it from the System context, not the Admin context.
If you are trying to add the sub interfaces for the server context, then go to the System context:
config t
interface ethernet 0/2.111
exit
context server
allocate-interface ethernet0/2.111
here is a sample configuration for your reference:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808d2b63.shtml
Hope that helps. -
Cisco 2960S Configured in Transparent mode
I have a Cisco 2960S gig switch configured in transparent mode with multiple vlans configured. I have printers that I can ping, the ports shows up but on the printer it says offline. Any idea what could be causing this?
If your printer and your PCs are all in the same subnet and only the printer is not working then VTP mode Transparent has nothing to do with your issue.
I'd be keen to know if you have a firewall blocking anything from the IP address of the printer? Maybe the IP subnet mask or default gateway of the printer is not working?
What do you get when you do a "sh mac-address interface <PRINTER port>"? -
Hi all,
i am actually designing for a new solution based on 6509 Switch with FWSM module, here is what i have :
FWSM will be used in Transparent mode with two bridge group : 1 , 2 as mentioned on the image, i wonder if this is a correct deisgn or not, is this will work with no probleme with these two trunk links ?
i've seen on the guidelines of this url :
http://www.cisco.com/en/US/docs/security/fwsm/fwsm22/configuration/guide/fwmode.html#wp1184961
"The transparent FWSM uses an inside interface and an outside interface only. "
is it applicable in my case,
any other information will be welcome.
Thanks for helpHi,this is sample configuration.
6509A:
vlan 256
name FWoutside
int vlan 256
ip addr 98.1.1.252 255.255.255.0
6509B:
vlan 255
name FWinside
int vlan 255
ip addr 98.1.1.251 255.255.255.0
firewall module 3 vlan-group 16,32
firewall vlan-group 16 255
firewall vlan-group 32 256
FW:
firewall transparent
nameif vlan256 outside security0
nameif vlan255 inside security100
access-list ACL_IN extended permit ip any any
access-group ACL_IN in interface outside
access-group ACL_IN in interface inside
6509B:
6509B#ping 98.1.1.252
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 98.1.1.252, timeout is 2 seconds:
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms
6509B# -
ASA5510 - LACP in Transparent Mode
Hello all,
I understand that in transparent mode an ASA5510 would only be able to have two interfaces, inside and outside.
My question is could one of those logical interfaces be an LACP'd interface, made up of two physical interfaces. Topology below.
I understand that the router and ASA5510 are SPOF here, so it is a bit of a moot point, but we're connecting already existing infrastructures together!
|-------–---| |---------|
| Switch 1 |------| |
|-----------| | ASA5510 | |----------|
| | | (transp |---------| Router |
|-------–---| | mode) | |----------|
| Switch 2 |------| |
|-----------| |---------|Configuring Cisco ASA Service Appliance in Transparent Mode with vPCSince Release 8.4, Cisco ASA 5500 Series Adaptive Security Appliance solution supports Link Aggregation ControlProtocol (LACP). ASA port-channel contains up to eight active member ports.Supported LACP modes are: ACTIVE, PASSIVE, and ON (ON means manual ports bundling i.e not using dynamicport-channeling control protocol).ASA can be configured in transparent or routed mode. Both modes are supported when integrating ASA with CiscoNexus 7000 Series vPC.
http://www.cisco.com/en/US/docs/switches/datacenter/sw/design/vpc_design/vpc_best_practices_design_guide.pdf
Page 87-88 -
Config transparent Proxy with LDAP authen with L4 switch?
How to config policy based routing on L4 switch if wsa run in transparent mode with LDAP authentication?
Async OS: 5.1.0-420
Thank you,
ThanapolEzekiel,
I wanted to add some clarification to your comments:
1) Network TAP connected to T1/T2.
This will work good. You will need to tap one direction of traffic to the T1 port and the other direction in to the T2 interface.
2) L4 switch connected to P1.
This will NOT work. Further explaination below. What you can do is use a switch that supports port spanning / port mirroring. You'll need to send a COPY of all traffic going to gateway to the T1 interface.
The L4TM will need to be in 'duplex' mode - Configurable in the GUI.
3) WCCP v2 connected to P1.
WCCP cannot be used at all with the L4TM, because WCCP doesn't 'copy' the traffic, it redirects it.
L4TM information
The L4TM can be thought of as a completely seperate appliance that operates primarily via the t1 / t2 interfaces.
The L4TM is a sniffer application, meaning that you cannot redirect traffic to it (such as L4 switching PBR or WCCP), but you can send a copy of traffic to it (port mirroring or physical tap).
If you are blocking with the L4TM, the WSA will use M1/P1 to send the TCP RST packets. This is the ONLY use for the M1/P1 interfaces that the L4TM will use.
The P1 interface is intended to be used for Web proxy traffic and the L4TM does not listen on this interface. -
ASA Transparent Mode Deployment Issue
Could you please be more specific as to what does not work. How are you testing, from which IP to which IP is not working? Are you able to ping the switch from the ASA Firewall (not the transparent firewall)?
Please remember to rate and select a correct answerOk after a little research I think I have found a solution for you ( I am leaving out the policy map configs):
firewall transparent
hostname ASA-IPS
interface GigabitEthernet0/0.20
vlan 20
nameif Outside2
bridge-group 2
security-level 0
interface GigabitEthernet0/0.10
vlan 10
nameif Outside1
bridge-group 1
security-level 0
interface GigabitEthernet0/1.22
vlan 22
nameif Inside2
bridge-group 2
security-level 100
interface GigabitEthernet0/1.11
vlan 11
nameif Inside1
bridge-group 1
security-level 100
interface BVI1
ip address 10.10.10.10 255.255.255.0
interface BVI2
ip address 10.10.20.10 255.255.255.0
access-list inside_acl extended permit ip any any
access-list outside_acl extended permit ip any any
access-group outside_acl in interface Outside1
access-group inside_acl in interface Inside1
access-group outside_acl in interface Outside2
access-group inside_acl in interface Inside2
Also make sure that you amend the VLANs on the switch to correspond to the VLANs on the Transparent ASA.
Please remember to rate and select a correct answer -
ASA 8.4 transparent mode active/active questions
Hi, currently i'm trying to create network design which uses two 5585-X in transparent mode with active/active load balancing (with states), but i have some questions:
1. Do i need to configure asr-groups in transparent mode? What will happen if my packet (or now more accurately frame) will return to the standby context of one device, while the initial packet passed through active context on the another device (contexts are in the same group but on different physical devices)?
2. In 8.4 we received new feature called BVI interfaces. How this feature integrates with failover functionality? Can we now use multiple BVI bridge groups for multiple vlans (instead of bridging a single pair of vlans in single context)?
3. When implementing active/active load balancing with BVIs do we still need to use multiple context mode?
Thanks for your repliesHello,
1. Do i need to configure asr-groups in transparent mode? What will happen if my packet (or now more accurately frame) will return to the standby context of one device, while the initial packet passed through active context on the another device (contexts are in the same group but on different physical devices)?
You only need to configure ASR groups if your routing environment would match the scenario you outlined (a return packet arrives at the unit running the Standby context).
2. In 8.4 we received new feature called BVI interfaces. How this feature integrates with failover functionality? Can we now use multiple BVI bridge groups for multiple vlans (instead of bridging a single pair of vlans in single context)?
You can configure up to 8 bridge groups per context to achieve this.
3. When implementing active/active load balancing with BVIs do we still need to use multiple context mode?
Active/Active failover is only possible in multiple context mode.
Hope that helps.
-Mike -
VRF issue with Firewall in transparent Mode.
Hi Guys,
I have 7609 Router and 6513 L3 Switch connected Through ASA 5545.
I am running Multiple VRF between router and Switch and BGP routing Protocol. When they are connected directly to each other everything is normal, however, when I have connected them via ASA 5545 then everything fails. I am using ASA in transparent Mode.
My question is: Do ASA require different setting in case of VRF? If yes, then please give me sample config.I have taken following output from Firewall will this be any help?
sh interface ouTSIDE
Interface GigabitEthernet0/1 "OUTSIDE", is up, line protocol is up
Hardware is i82574L rev00, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
Input flow control is unsupported, output flow control is off
MAC address 7c69.f68f.df78, MTU 1500
IP address 175.4.8.35, subnet mask 255.255.255.248
8435 packets input, 680680 bytes, 0 no buffer
Received 8135 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
8138 L2 decode drops
0 packets output, 0 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 1 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
input queue (blocks free curr/low): hardware (476/461)
output queue (blocks free curr/low): hardware (511/511)
Traffic Statistics for "OUTSIDE":
297 packets input, 118503 bytes
0 packets output, 0 bytes
297 packets dropped
1 minute input rate 0 pkts/sec, 13 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 6 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
ciscoasa# show asp drop
Frame drop:
FP L2 rule drop (l2_acl) 297
ASA Version 9.0(1)
firewall transparent
ciscoasa# show module all
Mod Card Type Model Serial No.
0 ASA 5545-X with SW, 8 GE Data, 1 GE Mgmt ASA5545
ips ASA 5545-X IPS Security Services Processor ASA5545-IPS
Mod MAC Address Range Hw Version Fw Version Sw Version
0 7c69.f68f.df77 to 7c69.f68f.df80 1.0 2.1(9)8 9.0(1)
ips 7c69.f68f.df75 to 7c69.f68f.df75 N/A N/A 7.1(4)E4
Mod SSM Application Name Status SSM Application Version
ips IPS Up 7.1(4)E4
Mod Status Data Plane Status Compatibility
0 Up Sys Not Applicable
ips Up Up
Mod License Name License Status Time Remaining
ips IPS Module Enabled perpetual
ciscoasa#
I have create Ehtertype ACL and permit any traffic.
cdp traffic has passed through but I am still not able to ping :( -
Transparent mode/firewall mode in a multiple context asa5520
Hello,
Is it possible to have a transparent mode on CONTEXT_A and firewall/route mode in CONTEXT_B in a single ASA
5520?
thanks.Is there any document to support this? I would be getting my hands on a ASA pretty soon hope to test this feature out.
-Hoogen
Maybe you are looking for
-
I have a 4gen iPod and I've had it for about a year and I can not get to update software
I have a 4gen iPod touch I can't get it to update since I bought it last year it's still has the 5.1.1 (9B206) it has 6.5g free storage every time I try to update it says update fail download error I am downloading via wifi good signal and everything
-
How do I restore my Itouch to completely clean it out?
-
Report to Print from SPOOL to Printer
Dear SDN users, is there any function module for print the report from SPool to
-
Using hierarchical tree in developer 10g
Hi all how can we use hierarchical tree in developer 10g any white paper will be helpfull thanks
-
No sound with ATI R6xx HDMI + ALSA
Hi guys, After a few hours of googling and trying different solutions, I don't get any sound on my computer. Hope somebody has an idea... Output of aplay -l **** List of PLAYBACK Hardware Devices **** card 0: Generic [HD-Audio Generic], device 3: HDM