FWSM Transparent firewall query

Customer has over 50 vlans with fwsm inside as below.
WAN --- MSFC ---IDSM-2 --- FWSM --- Inside network (multiple vlans)
Customer wants all internal vlan communication to be inspected by FWSM. What will be the best option - transparent firewall or routed mode and how will this work?
Regards
Vinod

Hi Jon,
Thanks for your valuable suggestion.
My customer has FWSM IDSM and NAM module with 6500 switch and has the following requirement.
1- Inter VLAN communication needs to be protected by FWSM and IDSM (only inline mode). I have never seen IDSM-2 with inline setup in any of my previous HLD's.
2- Customer has collapsed core architecture with access switches terminating at 6509 directly to FWSM (facing inside). With FWSM running inside, I only have 2 options for redundancy. Either use routed mode and run ospf at the access layer (eigrp not supported on FWSM) or run FWSM in transparent mode.
If you have ever faced such scenario, would appreciate if you could share your experience.
Regards
Vinod

Similar Messages

  • IGMP settings on transparent firewall.

    What are the requirements for allowing IGMP traffic to pass through a transparent ASA 5550?
    I have inherited a configuration that is currently configured to alloww IGMP from any to any and would like to restrict this protocol.  On the trusted side I ave a single host configured for multicast and on the untrusted side there is a switch and then router.  I do not control the router or switch configuration on the untrusted side.
    My questions are:
    -  Is IGMP allowed through by default?
    -  Are the ACL entrys   "access-list outside-in extended permit igmp any any" and "access-list inside-out extended permit igmp any any"
       required to allow IGMP join, query, leave etc...?
    - If this is required how do I limit the source and destination ip range?
    Thanks

    It is really very simple topolgy.    single host inside ---  my ASA --- other company ASA Outside --  Other company switch  then router Inside.
    My server acts as both multicast Server and client.
    Additional question...
    can anyone clarify this statement? 
    These destination MAC addresses are allowed through the transparent firewall. Any MAC address not on this list is dropped.
    IPv4 multicast MAC addresses from 0100.5E00.0000 to 0100.5EFE.FFFF
    I assume this follows the same rule as anything else and that it only allows these from a higher number interface to a lower number interface...

  • Rule for Control Plane traffic Transparent Firewall

    Hi Everyone,
    ASA  working in routed mode traffic is allowed by default from high security inside to low security outside.
    But in case of transparent firewall  control plane  traffic  from inside to outside it is not allowed by default.
    Need to know the reason behind this?
    IS this due to transparent firewall layer 2?
    Regards
    MAhesh

    Hello Chintan,
    the VRF access link where the CE is connected is part of the VRF and isn't a member of the Global Routing Table anymore.
    So any possible attempt to build an LDP session cannot impact on the backbone MPLS control plane.
    If you want to specify all the acceptable LDP sources in a receive-ACL or in Control plane policing as part of a security plan that will be another matter.
    Only on Carrier Supporting Carrier scenario you have an MPLS LDP or BGPv4 with labels session between PE and CE.
    Hope to help
    Giuseppe

  • Transparent firewall with CSC

    Hi,
    We will be deploying 1 firewall with IPS module and 1 transparent  firewall with CSC module. please refer to the diagram. is there any concern for this deployment? will it works?
    Please adviced.
    Thanks.

    Yes. Absolutely. No problem.
    -Kureli

  • Transparent Firewall Configuration

    I m trying to configure ASA 5540 in transparent firewall mode. The server farm is connected to the inside zone and users are connected to the outside zone on Multiple VLANS routed via Inter-VLAN routing using core switch.
    As per Cisco Configuration guidelines for transparent firewall,INSIDE and OUTSIDE ZONE are configured to be in two different VLANS while the gateway ip address of the server farm is configured on the core switch.
    The transparent firewall works fine if connected to TWO different switches with ACL permit any any on the outside interface. But if TWO DIFFERENT VLANS ( ex. 111 & 222 ) are configured on the same Catalyst 4500 switch and the inside zone and outside zone ( 222 ) is connected to the respective ASA 5540 interfaces in TRANSPARENT MODE - inside interface to port 3/0/1 in VLAN 111 & Outside Interface to port 3/0/2 in VLAN 222, traffic is not flowing thru.
    VLAN 222 USED FOR SERVER FARM CONNECTED TO INSIDE ZONE HAS THE DEFAULT GATEWAY ADDRESS CONFIGURED in the CORE SWITCH under INT VLAN 111 which is connected to OUTSIDE interface of ASA.
    Core Switch int gig1/0/1...>vlan 111...>ASA OUTSIDE...>Vlan 222...> server farm in vlan 222
    No ARP entries are seen on the inside interface.Ethertype ACL to allow BPDU's on both INSIDE AND OUTSIDE interface of ASA has also been configured.
    Can you please provide me guidelines and a step by step procedure to configure ASA 5540 in transparent Firewall mode with INSIDE & OUTSIDE Interface connecting to TWO different VLANS on the same Catalyst SWITCH.
    Thanking you in advance,
    with best regards
    Meenaakshi Sundaram
    Network Consultant

    Hi Kirk,
    Yes, you can.
    You just have to make sure that you configure only 1 SVI on the switch.
    Example:
    L3 subnet: 10.1.1.0/24
    VLAN 100 -- Inside (ASA) Outside -- VLAN 200
    Hosts will all be connected to VLAN 100 on the switch.
    ASA inside interface will be connected to VLAN 100 on the switch
    ASA outside interface will be connected to VLAN 200 on the switch
    Switch should only have 1 SVI - interface vlan 200 (10.1.1.254 for example). Switch should never be configured with SVI on vlan 100 (should not have interface vlan 100).
    All hosts would be in the 10.1.1.0/24 subnets with default gateway set to 10.1.1.254.
    ASA should only have 2 interfaces (inside - security level 100, and outside - security level 0). They can't be on the same security level.
    Hope that helps.

  • Configuring management interface in transparent firewall

    Hi there, 
    I know I have been asking basic questions. But I have 5520 with VPN plus license. 
    This firewall is in transparent mode now. How do I configure the management IP on this( I mean is there a dedicated management interface or what)
    Regards, 
    Yad Singh

    Hi,
    Consider ASA in transparent mode just like a Layer 2 Switch , where you would have to define an SVI or IP address for management.
    In the Case of ASA device , on ASA 8.2 and before , you can only configure one single IP address for management.
    On the ASA 8.4 and above , we have something know as Bridge groups which are configured for the management IP address.
    Refer these documents:-
    http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/fwmode.html#wp1201980
    http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/mode_fw.html#wp1367568
    http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/97853-Transparent-firewall.html
    Let me know if you have any queries.
    Thanks and Regards,
    Vibhor Amrodia

  • Configuration Required for Transparent Firewall ASA8.2

    Dear All,
    I have one firewall need to be configured in transparent mode. I have inside and outside router. Can anyone just give me the configuration of transparent firewall ASA8.2 pelase. I didnt find the configuration on Cisco site.
    Regards,
    Ali.....

    Dear jcarvaja
    Reference made to our previous communication regarding transparent firewall. Following are my full config with your required capture. I can still ping to the managment of ASA from inside and outside. But traffic is not transiting.
    Inside Capture
    sh capture INSIDE
    24 packets captured
       1: 00:11:45.244326 802.3 encap packet
       2: 00:11:47.289245 802.3 encap packet
       3: 00:11:49.233325 802.3 encap packet
       4: 00:11:51.264039 802.3 encap packet
       5: 00:11:53.258607 802.3 encap packet
       6: 00:11:55.293060 802.3 encap packet
       7: 00:11:57.339719 802.3 encap packet
       8: 00:11:59.331113 802.3 encap packet
       9: 00:12:01.343549 802.3 encap packet
      10: 00:12:03.335218 802.3 encap packet
      11: 00:12:05.349347 802.3 encap packet
      12: 00:12:07.393152 802.3 encap packet
      13: 00:12:09.117242 arp who-has 7.7.7.3 tell 7.7.7.2
      14: 00:12:09.341931 802.3 encap packet
      15: 00:12:11.103693 arp who-has 7.7.7.3 tell 7.7.7.2
      16: 00:12:11.409341 802.3 encap packet
      17: 00:12:13.102198 arp who-has 7.7.7.3 tell 7.7.7.2
      18: 00:12:13.412393 802.3 encap packet
      19: 00:12:15.088832 arp who-has 7.7.7.3 tell 7.7.7.2
      20: 00:12:15.393244 802.3 encap packet
      21: 00:12:16.206959 802.3 encap packet
      22: 00:12:17.106043 arp who-has 7.7.7.3 tell 7.7.7.2
      23: 00:12:17.448661 802.3 encap packet
      24: 00:12:19.410760 802.3 encap packet
    Outside Capture
       1: 00:11:56.916105 802.3 encap packet
       2: 00:11:58.879074 802.3 encap packet
       3: 00:12:00.938367 802.3 encap packet
       4: 00:12:02.893935 802.3 encap packet
       5: 00:12:04.935437 802.3 encap packet
       6: 00:12:06.927488 802.3 encap packet
       7: 00:12:08.875702 802.3 encap packet
       8: 00:12:09.117242 arp who-has 7.7.7.3 tell 7.7.7.2
       9: 00:12:10.931104 802.3 encap packet
      10: 00:12:11.113244 arp who-has 7.7.7.3 tell 7.7.7.2
      11: 00:12:12.944088 802.3 encap packet
      12: 00:12:13.102198 arp who-has 7.7.7.3 tell 7.7.7.2
      13: 00:12:14.933331 802.3 encap packet
      14: 00:12:15.088832 arp who-has 7.7.7.3 tell 7.7.7.2
      15: 00:12:15.642453 802.3 encap packet
      16: 00:12:16.948101 802.3 encap packet
      17: 00:12:17.106043 arp who-has 7.7.7.3 tell 7.7.7.2
      18: 00:12:18.968348 802.3 encap packet
      19: 00:12:20.969066 802.3 encap packet
      20: 00:12:22.976695 802.3 encap packet
      21: 00:12:25.012572 802.3 encap packet
    ASA
    : Saved
    ASA Version 8.0(2)
    firewall transparent
    hostname ciscoasa
    enable password 8Ry2YjIyt7RRXU24 encrypted
    names
    interface Ethernet0/0
    nameif outside
    security-level 0
    interface Ethernet0/1
    shutdown
    no nameif
    no security-level
    interface Ethernet0/2
    shutdown
    no nameif
    no security-level
    interface Ethernet0/3
    nameif inside
    security-level 100
    interface Ethernet0/4
    shutdown
    no nameif
    no security-level
    interface Ethernet0/5
    shutdown
    no nameif
    no security-level
    passwd 2KFQnbNIdI.2KYOU encrypted
    ftp mode passive
    access-list OUT extended permit icmp any any
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address 7.7.7.10 255.255.255.0
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    access-group OUT in interface outside
    access-group OUT in interface inside
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout uauth 0:05:00 absolute
    dynamic-access-policy-record DfltAccessPolicy
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    no crypto isakmp nat-traversal
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics access-list
    class-map inspection_default
    match default-inspection-traffic
    policy-map global_policy
    class inspection_default
      inspect icmp
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:00000000000000000000000000000000

  • Why use transparent firewall in data center?

    I've seen Cisco documentation recommendation transparent mode for firewall deployment in the data center, e.g. 5585X. I understand the key reasons for this are:
    - easy "insertion" of firewall in pre-existing network
    - speed (since there is no "hair-pinning")
    Assume that the above two are not a major concern (i.e. you can redesign your network to have the firewall hold default gateways and your firewall is much more powerful than your needs). Then from a financial perspective, it doesn't seem to make sense to do transparent firewall deployment of the 5585X for the following reasons:
    - you are limited to a maximum of 8 bridge-groups
    If you really want to follow best practices and implement fine segmentation of your network, you'll need to create 10s or 100s of VLANs and perform access-control on them. This limit of 8 BVIs means that you basically can have only 8 "segments" per context. After that, you have to resort to adding contexts as your grow (contexts introduce their own cost AND complexity).
    Am I missing something? Why would Cisco recommend transparent firewall for data center if cost is remotely a concern? I can't seem to find any good documentation justifying this. Thanks in advance for your experiences/insight.

    Hello Fouzan,
    I think you already covered it
    good job with the analisys, basically as you said is the hability to place the Transparent mode into the network enviroment , no routing stuff complications, etc , BUT as you said there are limitations,
    I would still use the routed mode due to the requirements you set but there will be scenarios when this will not be the case and a bridge-group or 2 will take care of everything so I transparent mode firewall would do it,
    Regards

  • ECMP through Transparent Firewall

    I have an interesting question.  We are going to try and run equal-cost multi-pathing through a transparent firewall.  There will be two routers on one side and two on the other running eigrp between them.  The question is, if a packet leaves one port but the response comes back on a different port, would this cause issues?
    I can explain more if needed.

    Hi,
    When you run Equal cost multi path in ASA, you will not get a return packet on a different port. It will not do round robin fashion. Below mentioned excerpt from cisco document will clarify your doubt.
    This document provides information on how to configure the Adaptive Security Appliance (ASA) with up to three equal cost routes to the same destination network per interface. The ASA hashes the source and destination IP addresses of the outbound packet to determine which route it will use to determine the next hop for the packet (the ASA does not employ a round-robin algorithm to choose the next hop). As opposed to round-robin load balancing, packets with the same source and destination pair are always sent towards the same next hop, as per the computed hash.
    Regards
    Karthik

  • Using a Transparent Firewall

    How does a transparent firewall intercept traffic in order to inspect and filter it?  I'm not clear on the physical makeup of the design.  If I have a vlan with some hosts I want to protect and connect the inside and outside interfaces of an ASA to the same VLAN, how does the ASA get in between those hosts I want to protect, other hosts on the same VLAN, and their default gateway in the same VLAN?  From a cabling perspective I would only be connecting cables of the ASA and the hosts to a switch port that is in a common VLAN.  Why would a host go through the firewall?  Since it's all layer 2, wouldn't it have to be ARP?  I've looked at the ARP scenarios in documentation, but none of it appears to state the firewall proxys ARP in some fashion.
    thank you
    Bill 

    Hello Bill,
    That is exactly where it goes wrong, you dont have to connect everything on the same vlan, it would be two different logical vlans carrying Layer 2 traffic but with the same IP scheme. For example, consider the following scenario:
                                       Vlan100
                                  192.168.100.0
    Inside network---------------Switch----------------Router--------Internet
    Now, the main Idea of the ASA firewall is to be inserted on this scenario without having to change the IP scheme, so here is what you do
                            Vlan100                        Vlan101      
                        192.168.100.0              192.168.100.1
    Inside network---------------ASA_Firewall------------------Router------Internet
    What the ASA is going to do is to bridge packets between the inside network and the router, how? It creates its own mac address table just like a switch and forwards the packets on a layer 2 basis, he knows that the mac-address of the router is located on the outside and the mac address of the inside host is on the inside, so when a requests is going to the mac-address of the router it picks up the packet and it bridges it to the router.
    Hope it helps.
    Mike

  • Cisco Transparent firewall and cisco switch issues.

    Dears,
    I have a very plain scenario
     LAN cisco switch <2 vlans>  ----------> cisco transparent firwall with bvi interface ------------>  crypto box ---------> cisco router ------ <remote/other site>
    i have vlan 61 configured on bvi interface of firewall, crypto box and also on the switch port and vlan of 61 is up up .
    The issue is i can connect remotely to cisco transparent firewall but cannot ping or connect to cisco switch. ???????????
    Need to know some trobuleshooting tips and basic settings that i need to verify. I simply want lan switch with 2 vlans to pass through the cisco transparent firewall and go to other site/remote site.

    Well,
    i have put the inspection icmp turned on for the sessions , and the version i am using is 9.1 
    moreover, i have put u p the ACLs for inbound and outboudn traffic, and while i ping across the firewall from the inside interface towards outside interface PC, i can see packet counts increasing on the acl , during the show access-llist command.
    i have requested the client to verify his part. do let me know further tips if you have any.
    [ moreover we cannot try to use packet-tracer from cli in transparent mode ]

  • Transparent firewall

    Have a Cisco ASA 5510 Appliance Anti-X Edition Bundle and I've configured it as a transparent firewall.
    Traffic from the inside to outside works fine, but from the outside to inside it isn't working. IP access list applied on the outside interface.
    Anybody has a similar working configuration to mine?

    What software version are you using in the asa box ?

  • Transparent firewall with failover with multiple contexts

                       I am running 8.4(2) on ASA5585s. They are in mulitble context mode and set to transparent firewall with active/active failover. When I do a sh failover in a context I see 2 of my interfaces are (waiting). I have a BVI and these are the ip addresses on the interfaces in he "sh failover" below.
    Failover On
    Last Failover at: 11:54:39 GMT/IST Feb 23 2012
            This context: Standby Ready
                    Active time: 175394 (sec)
                      Interface ctxb-inside (x.x.x.165): Normal (Waiting)
                      Interface ctxb-outside (x.x.x.165): Normal (Monitored)
            Peer context: Active
                    Active time: 11390663 (sec)
                      Interface ctxb-inside (x.x.x.164): Normal (Monitored)
                      Interface ctxb-outside (x.x.x.164): Normal (Waiting)
    Why are the interfaces in (waiting)?

    Are you able to ping between the interfaces? ie: can you ping x.x.x.165 from x.x.x.164 and visa versa? If you are not able to ping it, that means there is no connectivity between the 2, hence the status is in Normal (Waiting) because it has not received the hello packet on that corresponding interface.
    Here is the reference guide FYI:
    http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/s3.html#wp1505709

  • MAC address and the CAM entries on the Layer 3 FWSM(Transparent mode)

    Hi,
    With refrence of Cisco Secure Firewall Services Module (FWSM) of Cisco Press book it's mentioned that
    "While configuring the transparent mode in FWSM, it is important to specify the MAC address and the CAM entries on the Layer 3 next hop device of FWSM."
    This part of configuration is not very much clear to me please let me know the logic of this things
    The following are two examples:
    Layer 3 Device A (PFC) at the Outside Security Domain
    ! IP address of the next hop for the outside security domain
    interface Vlan20
    mac-address 0000.0000.0001
    ip address 10.10.1.1 255.255.255.0
    ! Specify the IP address and MAC address at the first hop layer 3 interface
    ! of the inside security domain
    arp 10.10.1.21 0000.0000.0001 ARPA
    Layer 3 Device B at the Inside Security Domain
    ! IP address of the next hop for the inside security domain
    interface Vlan21
    mac-address 0000.0000.0021
    ip address 10.10.1.21 255.255.255.0
    ! Specify the IP address and MAC address defined at the first hop interface
    ! of the outside security domain
    arp 10.10.1.21 0000.0000.0002 ARPA
    Regards
    Chris

    Check the serial # reported by Sys Info against the serial # printed on the bottom of the case. I bet they are not the same. The service center did not change the serial # on that new Logic board to match the REAL serial number of your Mac.
    So when you try to go to the MAS it looks like a completely different Mac which is not registered under your Apple ID.
    If the above is true, the serials being different, then you need to take it back and have that changed to your REAL serial number.

  • Asa 5505 transparent firewall issue

    hi i am having uc560 with voice and data vlan and i am having 3560 layer3 switch and my network is working fine the dhcp for voice and data both are running in uc560.
    now i  add asa 5505 between uc560 and switch in transparent mode means from uc560 to asa 5505 outside interface and from asa inside interface to switch,
    i conigured vlan1 -- inside and vlan 2 as outside in asa  5505
    in my uc 560 data is vlan 1 and my voice is vlan 100.
    when i connect my network with transparent mode firewall no dhcp amd no phones are working . but if i remove asa and i connect with uc560 to switch everything is fine.
    is there anyway to work multiple voice and data vlan in asa 5505 transparent mode.

    hi rojas,
    here is my problem,
    my internet and voice all connected in the uc 560 so wat i am doing i am connecting firewall outside to uc 560 trunk port and the from inside to my switch.
    when i connec to my switch it is giving message inconsistant vlan and it is port is blocked. and my phones are not working.
    my data vlan1 is 192.168.123.x
    and my voice vlan100 is  10.1.1.x
    and the firewall ip 192.168.123.3

Maybe you are looking for

  • How to get results of search help window?

    Hi, experts, I have a question here. For a field vendor id there is pre-defined search help, with which the detailed information of vendor inclusive the vendor id will be returned. But it will only fill this vendor id field. other information in the

  • Keep Your Mac Apps Up To Date

    hi can you give me an application that will keep keep all the applications on the mac up to date thanks

  • OS X mountain lion wont download

    I have just purchased the new OS X but it wont download. Is anyone else having problems. i have contacted apple (non)support but they are harder to get hold of than the pope! Do any apple support contact numbers actually work?

  • Between ......and........operator

    Hi all, I am using between and operator and getting the following result. select empno,ename,sal from emp where sal between 1500 and 3000; EMPNO ENAME SAL 7499 gunit 1600 7566 gunit 2975 7698 gunit 2850 7782 gunit 2450 but when i use null it gives me

  • When is sync finished

    I have the 4s & when syncing I notice that it no longer says 'sync in progress'  & there seems to be no way of knowing when the sync has ended from looking at the phone. It used to go from 'sync in progress' to the normal lockscreen so you could see