IronPort - Transparent mode
hi,
we have a new IronPort C360, we need to install it as transparent bridge between router and our servers. How can we do?
thnx :roll:
Elton,
By definition the C-series Ironport appliance is an SMTP MTA. It doesn't have a transparent mode since it functions by receiving a complete SMTP email and examining it.
The S-series is the Web Security appliance and I believe that does have a transparent mode. Could it be that was what you were referring to?
Similar Messages
-
Hi,
Can someone help me to configure Ironport WSA for HTTPS in transparent mode.
If i configure the HTTPS proxy, all the traffic will be intercepted like a decrypted mode and my aim is to implement tranparent HTTPS in tunneling mode .
Can someone help me to do that ?
Rgds
FrantzCisco Email and Web Security Knowledge Base
How to set a specific web site to HTTPS "pass through" instead of
"decrypt"
Published 06/24/2009 01:47 PM | Updated 01/30/2013 06:38 AM -
hi,
anyone here already has a summarized procedure on how to configure Ironport on Transparent Mode?
I assume that all existing proxies are supported by ironport if im going to have the WSA in transparent mode
Please post. if you already have one..
thank youHi Jon,
Thanks for the reply.
I have read two documents, one was 180 pages and the other one was over 400. I am not able to understand how to get the 6509 to communicate with the FWSM.
This is my Scenario:
I have to issue the "session slot 3 processor 1" command in order to get to the FWSM.
When there, i can see the following:
Version: Device Manager Version 5.2(4)F
Firewall Status:
FWSM# sho fire
Context Mode
admin Transparent
FWSM#
This is what I'm trying to do:
I have A client is renting a server and he is expecting some DDoS and so forth, i want to put him behind the FWSM.
He is right now sitting on vlan 473. This is a L3 Switch, so vlan 473 exists on L2 and obviously an SVI (interface vlan) with the following configuration:
Router.(config-if)#do svlan 473
Building configuration...
Current configuration : 201 bytes
interface Vlan473
description 04001021613.PRIVATELAYER.CH
ip address 31.7.61.177 255.255.255.240
ip access-group SPAM out
no ip redirects
no ip proxy-arp
ipv6 address 2A02:29B8:2118::1/48
end
Router.(config-if)#
I am aware that in routed mode you have to add the same vlans to the FWSM and so forth, but in transparent mode, honestly i am clueless.
Its stated that i have to use TWO interfaces and configure the same IPs on each (...) in routed mode i know its not possible, but in transparent mode it is somehow.
NOTE: I am only a CCNA but have done a LOT of research on the topic, I have not found a step-by-step guide not even in the CCNP or CCIE training videos out there. (i have over 40GB of Cisco videos...getting frustrated)
Any help is appreciated.
Thanks,
Ezequiel -
The difference between VTP server and transparent mode on Catalyst Switch.
Hello
I have a question about the difference between VTP server mode and VTP transparent mode on general catalyst switch.
Basically VTP server mode can create and modify VLAN configuration but actually there is not any VLAN configuration through running-config, is it true? When I checked it on Cat3550, certainly there is not VLAN configuration on VTP server mode. But VTP transparent can create VLAN and configuration but does not synchronize with other switch VLAN status. I appreciate any related information and reason of the VTP server mode specification, thank you very much.
[VTP Transparent mode]
3550#sh vtp status
VTP Version : 2
Configuration Revision : 0
Maximum VLANs supported locally : 1005
Number of existing VLANs : 27
VTP Operating Mode : Transparent
VTP Domain Name :
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
*omit
3550#
3550#sh run
Building configuration...
*omit
vlan 99
name TEST-VLAN
[VTP Server mode]
3550#sh vtp status
VTP Version : 2
Configuration Revision : 0
Maximum VLANs supported locally : 1005
Number of existing VLANs : 27
VTP Operating Mode : Server
VTP Domain Name :
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
*omit
3550#
3550#sh run
Building configuration...
*no VLAN like above configuration on VTP transparent mode.
Best Regards,
Masanobu HiyoshiHi mhiyoshi,
3550#sh vtp status
VTP Version : 2
Configuration Revision : 0
Maximum VLANs supported locally : 1005
Number of existing VLANs : 27
VTP Operating Mode : Transparent
VTP Domain Name :
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
*omit
3550#
3550#sh run
Building configuration...
*omit
vlan 99
name TEST-VLAN
The above out put indicates that Vlan is created and then mode changed to transparent. i.e why revision no is 0.
3550#sh vtp status
VTP Version : 2
Configuration Revision : 0
Maximum VLANs supported locally : 1005
Number of existing VLANs : 27
VTP Operating Mode : Server
VTP Domain Name :
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
*omit
3550#
3550#sh run
Building configuration...
*no VLAN like above configuration on VTP transparent mode.
This indicates that vlan never created in server mode nor learnt from another switch as revision no is 0 -
Cisco ASA 5512 Transparent mode
Hi all - hope this is the right place to ask this question-
I'm having trouble understanding how to configure an ASA 5512X in what should be a really easy way -
I simply want the ASA to be a transparent Layer 2 "bump" in a routed link between two networks, and then I'll use the Management interface to actually see the firewall ASDM,Syslog, configure, etc.
I have the interfaces set up thusly:
interface GigabitEthernet0/0
nameif UnTrustedNetwork
security-level 0
interface GigabitEthernet0/1
nameif TrustedNetwork
security-level 100
interface Management0/0
nameif ManagementAccess
security-level 100
ip address 192.168.X.Y 255.255.255.0
management-only
I cannot figure out how to install a default route so that interface Management0/0 with it's IP of 192.168.X.Y can be reached from
other networks, like 10.6.X.Y, etc.
I thought the point of a Management interface was that you could set things up in such a way that the Management interface
was the only way you could access the firewall, and you did not have to have IP addresses on the Gig interfaces,
(at least not in transparent mode, for NAT you obviously would have to)
I tried to add a static route entry to 10.6.X.Y , but
when I typed "route.." my only available destination interfaces were either TrustedNetwork or UnTrustedNetwork ??
How do I configure the Management interface for non-local subnets to be reachable on the firewall in transparent mode?transparent firewall is configured differently from routed mode.
here's a basic config required:
firewall transparent (erases the current config; does not require a reboot)
interface BVI1
ip address 192.168.10.10 255.255.255.0
interface GigabitEthernet0
nameif outside
bridge-group 1
security-level 0
interface GigabitEthernet1
nameif inside
bridge-group 1
security-level 100
route outside 0.0.0.0 0.0.0.0 192.168.10.254
route inside 10.0.0.0 255.0.0.0 192.168.10.100
I think that you need a BVI interface with an IP address before the ASA starts forwarding traffic
The old syntax (pre 8.3 or 8.2 not sure) forces only 2 interfaces and no BVI was configured... the IP was assigned in global config.
Hope that helps,
Patrick -
ASA Transparent mode multicast traffic in 8.2 and 8.4
Hi,
When i configure 8.2 in trasparent mode and deploy the a network that was wrok on EIGRP after that i found the neighborship was stop when i allow the mutlicast address and prtocol on outside interface it was start the working But when i deploy an ASA with 8.4 IOS and then allow the multicast address and protocol both the interface (Inside and outside) after that it was start working.
So i want to know that what the reasion to allow multicast address and protocol on 8.4 IOS for both interface. I am not able to find any answer for this.Hi Mahesh,
By default ASA in transparent mode do not allow any packets not having a valid EtherType greater than or equal to 0x600. As per my knowledge this concept remain same for all versions of ASA. Most control plane protocols are denied.
ASA in transparent mode only allows ARP, broadcast traffic, TCP and UDP inspected unicast traffic.
For EIGRP to work through transparent firewall, we need to open ACLs in both direction for multicast and unicast both type of EIGRP traffic on all versions of ASA Firewall. -
Hi Guys,
I had to re-post this here because I did not get any comments earlier.. hopefully I'll get something here.. :)
I'm investigating the ways that I can use 2 x ASA (5525x) to accommodate Multi-tenancy situation with overlapping addresses. Unfortunately in this particular scenario we have to stick with 5525x firewalls.
The ASAs are going to be placed in north-south traffic path between 2 routers and these routers need to be configured with multiple VRFs to segregate the traffic for each tenant with overlapping IP subnets ( We are not looking at NAT as a workaround for the time being).
As we know, this ASA model won't support VRFs so we can't use the ASA as a intermediary routing hop and therefore this is not an option.. and using security contexts per VRF seems not scale-able enough (correct me if I'm wrong). So my thinking is that, if we put the ASAs in to the transparent mode and just use the ASAs as a layer 2 interconnect (configured with different VLANs connecting VRFs served by top and bottom routers) I should be able to go up to maximum of 50 VRFs (since 5525x only supports 200 VLANs).
I'm also planning to use the 2 ASAs in a cluster mode to aggregate the bandwidth of both ASAs for better throughput.
So I need to clarify following with you guys..
1) Can I actually do this or am I missing something.
2) Are there any limitations that I might run in to with this setup
3) Is there anyone out there who's doing the same thing or can you think of a better way to tackle this scenario (with same hardware and requirements)
4) Instead of using clustering, can I use simple Active/Stanby pare and still configure transparent mode and use it that way ?
Appreciate your input.
Thanks
ShamalThere is a limitation on how many context you can have, which depends on the license you have. This is quite possible with ASA multi routed mode and even with multi transparent mode. You can have overlapping ip in each context without the need of using nat as long as you have unique mac address for each sub interface.
Thanks -
INPUT textfield does not show non-English letters with transparent mode
INPUT textfield does not show non-English letters when i
type, if transparent mode turn on
this is bug of Flash Player 9?
will this bug had be fixed?I just tested Firefox and Chrome on linux, i doesn't work either, but i get different weird chars: éèça
However, on both mac and linux, if i copy the chars and paste them in the input field, it passes. -
Explain about transparent mode, single mode, multiple context mode
You can explain about the differents of transparent mode, single mode, multiple context mode in ASA 5500? Thank you very much.
Great question. Hope the below helps:
Transparent Mode: In this mode, the ASA will filter traffic without requiring L3 on the ASA. This means that in your config you will not put IPs on the interfaces to be used for traffic filtering. Thus, filtering is transparent to the traffic as the traffic isn't directly routed to the firewall. Think of it like you have a server plugged into a switch. In transparent mode, you place the ASA between the server and the switch and no configuration change is required to the server. In routed mode, you place the ASA in the same physical location between the server and switch, but have to change the server to use the ASA as a default gateway.
Single Mode: Default mode of an ASA. The ASA acts as a single firewall and all interfaces are provisioned to be managed through a single firewall configuration.
Multiple Context Mode: The ASA is split into multiple virtual configurations. With the ASA now virtualized, you provision the physical interfaces on the ASA to the virtual firewall configured. Each context has it's own configuration seperate from the rest of the firewall. Multi-context is meant for enterprises to invest in a single piece of hardware and scale it for use as multiple security devices.
Hope this helps. Let me know if you have anymore questions!
-Mike
http://cs-mars.blogspot.com -
I do have Apple Cinema 23" transparent mod. M8536 but I have to clue how to connect it to PC or current versions of MAC
You will need a DVI to ADC adapter
<http://www.amazon.com/Apple-DVI-ADC-Display-Adapter/dp/B00011KHT2>
If the computer does not have DVI, you will also need another adapter to connect the DVI plug to the computer. -
Connectivity Issues Cisco ASA 5515 in Transparent Mode
Hi,
we´re having problems with one transparent mode setup at one customer site. The ASA is equiped with a CX Module, but we´re not using it, so far in the service policy rules it was enabled and matched all traffic, but in "monitor only" mode. There is a global acl that allows any-any-IP.
Firewall-Info:
- ASA Version 9.1(2)
- Interfaces gi0/0 + gi0/2 without any interface errors
The ASA 5515x is configured as a "bump in the wire". In general our setup is working but with beginning of the installation of the firewall the customer faces following connection issues, without the firewall no problems:
- Connections to SAP-Servers behind the MPLS begin to drop, affected all users
- Incoming monitoring sessions (ping/snmp) from central management are facing ping timeouts, connection timeouts
- http downloads are stopping, Customer: it will stop responding and the download will fail.
In general the customer describes it this way: "We do not have the best connection here so once we connected the firewall all the problems are magnified"
I recognized, that we unconfigured the default inspection during initial setup and reconfigured this entry for the cx module. So the the default inspection with all the settings are not present any more... How important are these settings? One phenomen is, that I´ve seen a large numbers of concurrent connections that increased over time. And we already had that situation, that the firewall reached the max-conn count.
Should I try to reconfigure the default inspection, as it ships from factory? And whats the best way to check for problems? What can be the reason for the dropping connections?
I attached a network plan and the firewall config, hopefully, that somebody has an idea. Of course I can provide additional information...
Best Regards
SebastianHi Vibhor,
thanks for your reply. Does this also affect the traffic, even the setting is set to "Monitor Only" ?
Is it recommend to configure the default-inspection rule as a default setting?
Further Question: I´ve read sth. about, that service policy rules must be "reloaded" to take effect, after they have been changed. Is that right and how do I reload them?
Here is an output from sh asp drop, do I have to care about certain values? This values result from two connected users doing some downloads over a 2Mbit connection.
ciscoasa# show asp drop
Frame drop:
Invalid encapsulation (invalid-encap) 10
First TCP packet not SYN (tcp-not-syn) 114
TCP failed 3 way handshake (tcp-3whs-failed) 3
TCP RST/FIN out of order (tcp-rstfin-ooo) 18
Dst MAC L2 Lookup Failed (dst-l2_lookup-fail) 33
L2 Src/Dst same LAN port (l2_same-lan-port) 260
FP L2 rule drop (l2_acl) 2958
Interface is down (interface-down) 9420
No management IP address configured for TFW (tfw-no-mgmt-ip-config) 117
Dropped pending packets in a closed socket (np-socket-closed) 66
Thanks
Sebastian -
Failure when FWSM in transparent mode with multiple contexts
hi experts,
We have two FWSMs working in active/standby state, configured with multiple contexts in transparent mode. and the "outside" and "inside" interfaces for each context are in same subnet.
Now we have one FWSM broken and the RMA part can't arrived in short time, so we have the risk that the sencond FWSM could be failed as well. In the worst case if the two was broken or powered off simultaneously, i wonder that if the communications between multiple contexts could be ok???
thanks in advance.The software requirements for Cisco Secure ACS are dependent on the type of Extensible Authentication Protocol (EAP) desired. For full support of all the EAP types including EAP-Flexible Authentication via Secure Tunneling (FAST), use release 3.2.3 or higher.
http://www.cisco.com/en/US/netsol/ns340/ns394/ns431/ns434/networking_solutions_implementation_guide09186a008038906c.html -
VRF issue with Firewall in transparent Mode.
Hi Guys,
I have 7609 Router and 6513 L3 Switch connected Through ASA 5545.
I am running Multiple VRF between router and Switch and BGP routing Protocol. When they are connected directly to each other everything is normal, however, when I have connected them via ASA 5545 then everything fails. I am using ASA in transparent Mode.
My question is: Do ASA require different setting in case of VRF? If yes, then please give me sample config.I have taken following output from Firewall will this be any help?
sh interface ouTSIDE
Interface GigabitEthernet0/1 "OUTSIDE", is up, line protocol is up
Hardware is i82574L rev00, BW 1000 Mbps, DLY 10 usec
Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
Input flow control is unsupported, output flow control is off
MAC address 7c69.f68f.df78, MTU 1500
IP address 175.4.8.35, subnet mask 255.255.255.248
8435 packets input, 680680 bytes, 0 no buffer
Received 8135 broadcasts, 0 runts, 0 giants
0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
0 pause input, 0 resume input
8138 L2 decode drops
0 packets output, 0 bytes, 0 underruns
0 pause output, 0 resume output
0 output errors, 0 collisions, 1 interface resets
0 late collisions, 0 deferred
0 input reset drops, 0 output reset drops
input queue (blocks free curr/low): hardware (476/461)
output queue (blocks free curr/low): hardware (511/511)
Traffic Statistics for "OUTSIDE":
297 packets input, 118503 bytes
0 packets output, 0 bytes
297 packets dropped
1 minute input rate 0 pkts/sec, 13 bytes/sec
1 minute output rate 0 pkts/sec, 0 bytes/sec
1 minute drop rate, 0 pkts/sec
5 minute input rate 0 pkts/sec, 6 bytes/sec
5 minute output rate 0 pkts/sec, 0 bytes/sec
5 minute drop rate, 0 pkts/sec
ciscoasa# show asp drop
Frame drop:
FP L2 rule drop (l2_acl) 297
ASA Version 9.0(1)
firewall transparent
ciscoasa# show module all
Mod Card Type Model Serial No.
0 ASA 5545-X with SW, 8 GE Data, 1 GE Mgmt ASA5545
ips ASA 5545-X IPS Security Services Processor ASA5545-IPS
Mod MAC Address Range Hw Version Fw Version Sw Version
0 7c69.f68f.df77 to 7c69.f68f.df80 1.0 2.1(9)8 9.0(1)
ips 7c69.f68f.df75 to 7c69.f68f.df75 N/A N/A 7.1(4)E4
Mod SSM Application Name Status SSM Application Version
ips IPS Up 7.1(4)E4
Mod Status Data Plane Status Compatibility
0 Up Sys Not Applicable
ips Up Up
Mod License Name License Status Time Remaining
ips IPS Module Enabled perpetual
ciscoasa#
I have create Ehtertype ACL and permit any traffic.
cdp traffic has passed through but I am still not able to ping :( -
Hi,
in order to configure transparent mode in ASR5k to disable authentication and to allow everyone what is the appropriate commandso co
in SAMI module we used used to configure 'access-mode non-transparent' under the APN
what is the equivalent in ASR5k?
we have configured the following 2 commands and we still have authentication failure for the GTP user
aaa authentication subscriber none
apn {apn_name}
authentication allow-noauthHi,
If you use transparent instead of server or client, there should be no problem wit copy run start. (The difference is that in this case your switch doesn't participate in the VTP communication, only forward the received messages and doesn't update its vtp db).
During the copy running-config startup-config did you get some error message? (not enough space or something) PLease first check the flash with the show flash command.
Or try to save your running to flas not to startup config: copy running flash:test.cfg
If you need more help please send me output of show flash at least...
bye
FCS
Please rate me if I helped. -
My mac goes to reduced transparency mode at startup
My Mac Goes Into Reduced Transparency Mode Even On Login Page
Reset PRAM. http://support.apple.com/kb/PH18761
Start up in Safe Mode. http://support.apple.com/kb/PH18760
Best.
Maybe you are looking for
-
How to substitute a month abbreviation for the posting period in a query
Hi, I have a query that lists the Posting Period (0FISCPER3) characteristic in the rows and key figures across the columns. Is there a way to display the Posting Period as a month abbreviation instead of a number? So for example, instead of display
-
Error message when trying to download itunes.
I get error messages when trying to downlowd the new itunes for windows on my laptop. It keeps saying I am not the administrator and I am logged on as the admin?
-
I am just wondering why each "content disk" takes along time - I mean at least an hour but it starts the count at 15 - 40 plus hours.... for each disk. Is there something wrong? Or is this everyones experience. Eventually is rackets down but it just
-
Opengl not working in 10.4.7
I implemented a cocoa application that renders lines and polygons to an OpenGL view. The application was working great in my MacBook Pro when I was running Tiger 10.4.6. After installing 10.4.7 the application stop drawing lines or polygons in wirefr
-
*** Third party apps for maps
Why the **** would apple have thrid party apps for public transportation for maps in IOS 6? are they just getting lazy or just trying to **** people off. not everyone has a car and maps had a great transportation section in maps,why would they ruin i