Setup Transparent ASA

Similar Messages

• PC not getting IP in transparent ASA

  Hi everyone,
  ASA 505 is connected to layer 3 switch.
  ASA is in transparent mode.
  Layer 3 switch has SVI Vlan 20 and also it has dhcp server for vlan 20.
  PC connected to transparent switch  is not able to get the IP address from layer switch.
  I have config the ACL on outside interface of ASA to allow the DHCP reply coming from Switch.
  When i assign static IP to PC connected to port eth0/1 of ASA  it works fine.
  ciscoasa# sh run
  : Saved
  ASA Version 9.1(1)
  firewall transparent
  hostname ciscoasa
  enable password 8Ry2YjIyt7RRXU24 encrypted
  xlate per-session deny tcp any4 any4
  xlate per-session deny tcp any4 any6
  xlate per-session deny tcp any6 any4
  xlate per-session deny tcp any6 any6
  xlate per-session deny udp any4 any4 eq domain
  xlate per-session deny udp any4 any6 eq domain
  xlate per-session deny udp any6 any4 eq domain
  xlate per-session deny udp any6 any6 eq domain
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Ethernet0/0
  switchport access vlan 20
  interface Ethernet0/1
  switchport access vlan 13
  interface Ethernet0/2
  shutdown
  interface Ethernet0/3
  shutdown
  interface Ethernet0/4
  shutdown
  interface Ethernet0/5
  shutdown
  interface Ethernet0/6
  shutdown
  interface Ethernet0/7
  shutdown
  interface Vlan1
  no nameif
  no security-level
  interface Vlan13
  nameif inside
  bridge-group 1
  security-level 100
  interface Vlan20
  nameif Outside
  bridge-group 1
  security-level 0
  interface BVI1
  ip address 192.168.20.59 255.255.255.0
  boot system disk0:/asa911-k8.bin
  ftp mode passive
  object network Broadcast
  host 255.255.255.255
  object network Dhcp-Server
  host 192.168.20.3
  access-list inside_access_in extended permit ip any any
  access-list Outside_access_in extended permit udp object Dhcp-Server object Broa
  dcast eq bootpc log
  access-list inside_access_in_1 extended permit ip any any
  pager lines 24
  mtu Outside 1500
  mtu inside 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-712.bin
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  access-group Outside_access_in in interface Outside
  access-group inside_access_in_1 in interface inside
  route Outside 0.0.0.0 0.0.0.0 192.168.20.3 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  http server enable
  http 0.0.0.0 0.0.0.0 Outside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec security-association pmtu-aging infinite
  crypto ca trustpool policy
  telnet timeout 5
  ssh 0.0.0.0 0.0.0.0 Outside
  ssh timeout 5
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  call-home reporting anonymous prompt 2
  Cryptochecksum:cbcb87f40ea45d3bd0b6376e92b5fe8a
  : end
  ciscoasa#                                                                     $
  ciscoasa#
  Thanks
  mahesh
  Message was edited by: mahesh parmar

  Hi Jouni,
  It worked great as always.
  I got this ASA Security plus license few days back so trying to learn some concepts in home lab.
  Need to undertsand the reason for these 2 ACL
  1>access-list OUTSIDE-IN permit icmp host any echo
  i already have ICMP under global policy so why we use the above ACL?
  Also this ACL has hit counts to 0
  2>when we allowed ACL to allow BootPC reply from any host to broadcast address then we we need this second ACL?
  access-list OUTSIDE-IN permit udp host 192.168.20.0 255.255.255.0 eq bootpc
  This ACL has also hit count to 0
  Thanks
  mahesh
  Message was edited by: mahesh parmar

• Redundant Transparant ASA between Redundant Routed Links

  Aparently the Security/Compliance team didn't review my network design before it was submitted and built, and now I have to shoe horn a firewall somewhere there was never supposed to be one.
  I have my two current DC Cores (Nexus 5548UP), that currently are Layer 3 only, with no L2 configuration at all.  I understand these aren't the best switches for this role, but the BoM was put in place and gear ordered, long before I came onboard, and the DC design had been completed.  From these two Cores, i connect directly to a vendor's clustered Fortinet FW, via a /30 from each core to each node of their cluster, and connected via eBGP, one link with a path prepend, due to the vendor not able to figure out how to load balance on their firewall.  Due to numerous vendor problems, and lack of knowlege, I cannot get them to change their design in a timely manner, to meet our timelines, and this has to be up yesterday to be PCI compliant (so our security people say) prior to go live in 1 week.  The vendor took 3 weeks just to figure out how to aggregate routes to me!.
  So I want to drop a transparent pair of firewalls inline on the two links, but due to the Active/Standby limitation of ASA's, I am not sure this will be that easy given the /30 L3 interfaces being used.  Secondly the lack of L2 between the two upstream cores may be a concern, at least from past expiriences.  I know if I was using some other vendor's clustered FW, this wouldn't be a problem, but I definately don't want to join the Dark side again, or do I have time to procure any other equipment other than the 5520's I currently have laying around.  Someone please tell me I have overlooked something simple, and the design listed below will be simple to implement!!!!
  Any ideas appreciated!

  why you don't use this design:
  connect the vendor clustered direct to nexus with a vrf instance, then route traffic to asa and then route to nexus whith other vrf istance.
  Regards
  V.

• ORACLE8 OPS 환경에서 FAILOVER SETUP 방법(TRANSPARENT APPLICATION FAILOVER)

  제품 : ORACLE SERVER
  작성날짜 : 2004-08-13
  ORACLE8 OPS 환경에서 FAILOVER SETUP 방법
  ========================================
  SCOPE
  Standard Edition 에서는 Real Application Clusters 기능이 10g(10.1.0) 이상 부터 지원이 됩니다.
  Explanation
  oracle 7 ops (sqlnet v2.3.x 이상)에서는 fail로 인한 failover 지원이 manual
  하게 reconnect를 하도록 하여 지원이 되었다. <bulletin 11033 참고>
  이는 sql*net기능을 사용하여 connection time failover 기능을 사용하는 경우이다.
  하지만, oracle 8 이상 에서는 automatic reconnection이 가능하게 되었다.
  즉, run-time failover가 가능하다.
  이는 일단 connection이 이루어진 후에 발생하는 모든 failover는
  Transparent Application Failover 코드에 의해 처리된다.
  다음은 Oracle 8 TAF(Transparent Application Failover) setup 방법이다.
  tnsnames.ora file에 다음의 parameter를 지정하여 가능하다.
  1. failover_mode : run time 시에 failover가 가능하게 한다.
  2. TYPE (Required) : failover 후의 operation을 지정한다.
  SESSION - failover 발생 시 새로운 session이 다른 instance에
  reconnection되며 이전 session에서의 모든 uncommit된
  작업은 rollback 된다.
  select도 이어서 진행되지 못한다.
  SELECT - failover 발생 시 새로운 session이 다른 instance에
  reconnection되며 이 때 long query나 복잡한 query 등의
  작업 수행 시 작업이 이어서 진행된다.
  단, dml 작업은 rollback된다.
  NONE - This is the default. No automatic failover
  3. METHOD : 어떻게 failover할지를 지정한다.
  BASIC - failover 발생 시에 backup instance(server)로 다시 접속한다.
  PRECONNECT - primary instance와 backup instance 두 개에 모두
  connection 맺어 놓은 후 failover 시에 backup
  instance를 통해 service한다.
  ***< 중요 > 현재 PRECONNECT는 최소한 8.0.5는 되어야 하며
  BASIC은 8.0.6이나 8.1.5에서만 가능하다.
  4. BACKUP : failover 시 접속할 instance의 정보를 기술한다.
  tnsnames.ora의 alias name을 기술한다.
  Example
  다음은 tnsnames.ora file의 example이다.
  < example 1 >
  =========================================================================
  node1.WORLD =
  (DESCRIPTION_LIST =
  (DESCRIPTION =
  (ADDRESS = (PROTOCOL = TCP)(Host = node1)(Port = 1521))
  (CONNECT_DATA = (SID = SID1)
  (FAILOVER_MODE = (BACKUP = node2)
  (TYPE = SELECT )
  (METHOD = PRECONNECT))
  node2.WORLD =
  (DESCRIPTION_LIST =
  (DESCRIPTION =
  (ADDRESS = (PROTOCOL = TCP)(Host = node2)(Port = 1521))
  (CONNECT_DATA = (SID = SID2)
  (FAILOVER_MODE = (BACKUP = node1)
  (TYPE = SELECT )
  (METHOD = PRECONNECT))
  ========================================================================
  < test 1 >
  1) 각 node의 instance를 start한다.
  2) 각 node의 listener를 구동한다.
  node1% lsnrctl start lsnr_node1
  node2% lsnrctl start lsnr_node2
  3) node1에서 다음의 작업을 한다.
  sqlplus scott/tiger@node1
  SQL> select count(*) from emp;
  COUNT(*)
  14
  4) Node1에서 instance를 shutdown abort한다.
  5) 3번의 session에서 select를 다시 한다.
  SQL> select count(*) from emp;
  ERROR at line 1:
  ORA-25404: lost instance
  다시 select한다.
  SQL> select count(*) from emp;
  COUNT(*)
  14
  Data가 node2 instance를 통해 제대로 select되며 이는 failover가 정상적으로
  작동됨을 알 수 있다.
  < example 2 >
  다음은 TAF(Transparent Application Failover) 기능에 SQL*NET의
  connection time failover 기능을 추가한 경우이다.
  ========================================================================
  node1.WORLD =
  (DESCRIPTION_LIST =
  (DESCRIPTION = (ADDRESS = (PROTOCOL= TCP)(Host= node1)(Port= 1521))
  (CONNECT_DATA =(SID = SID1)(SERVER=SHARED)
  (FAILOVER_MODE = (BACKUP = node2)(TYPE=SESSION)(METHOD=PRECONNECT))))
  (DESCRIPTION =(ADDRESS = (PROTOCOL= TCP)(Host= node2)(Port= 1521))
  (CONNECT_DATA =(SID = SID2)(SERVER=SHARED)
  (FAILOVER_MODE = (BACKUP = node1)(TYPE=SELECT)(METHOD=PRECONNECT))))
  node2.WORLD =
  (DESCRIPTION_LIST =
  (DESCRIPTION =(ADDRESS = (PROTOCOL= TCP)(Host= node2)(Port= 1521))
  (CONNECT_DATA =(SID = SID2)(SERVER=SHARED)
  (FAILOVER_MODE = (BACKUP = node1)(TYPE=SESSION)(METHOD=PRECONNECT))))
  (DESCRIPTION = (ADDRESS = (PROTOCOL= TCP)(Host= node1)(Port= 1521))
  (CONNECT_DATA = (SID = SID1)(SERVER=SHARED)
  (FAILOVER_MODE = (BACKUP = node2)(TYPE=SELECT)(METHOD=PRECONNECT))))
  =======================================================================
  < test 2 >
  1) 각 node의 instance를 start한다.
  2) 각 node의 listener를 구동한다.
  node1% lsnrctl start lsnr_node1
  node2% lsnrctl start lsnr_node2
  3) node1에서 다음의 작업을 한다.
  sqlplus scott/tiger@node1
  SQL> select count(*) from emp;
  COUNT(*)
  14
  4) Node1에서 instance를 shutdown abort한다.
  5) 3번의 session에서 select를 다시 한다.
  ORA-25404 error조차 없이 select된다.
  SQL> select count(*) from emp;
  COUNT(*)
  14
  Data가 node2 instance를 통해 제대로 select되며 이는 failover가 정상적
  으로 작동됨을 알 수 있다.
  (참고 1) dedicated 방식의 경우는 shared 대신에 dedicated를 기술한다.
  물론 initSID.ora의 mts를 기술하지 않고 tnsnames.ora의 server option을 쓰지
  않으면 default로 dedicated 방식을 쓴다.
  (참고 2) example 1을 사용할 경우 session 종료 후 재접속 시 자동 failover가
  되지는 않는다.
  Reference Documents
  oracle8 parallel server concepts & administration manual

  Hi,
  Many Thanks for your inputs. I created 2 non default listeners LISTENER_ORCL1 and LISTENER_ORCL2 on each node respectively.
  I was able to set LISTENER_ORCL as remote listener. But for some reason, the local_listener does not get set. The statement is executed successfully but no changes in the parameters and TAF setup does not work. I initially had the default port number of 1521 for the listener but then changed it to 1522 (to test if it had something to do with default port no) but still no success.
  SQL> show parameters listener
  NAME TYPE VALUE
  local_listener string
  mts_listener_address string
  mts_multiple_listeners boolean FALSE
  remote_listener                  string         LISTENER_ORCL
  SQL> alter system set local_listener='LISTENER_ORCL1' SCOPE=BOTH SID='ORCL1';
  System altered.
  SQL> alter system set local_listener='LISTENER_ORCL2' SCOPE=BOTH SID='ORCL2';
  System altered.
  SQL> show parameters listener
  NAME TYPE VALUE
  local_listener string
  mts_listener_address string
  mts_multiple_listeners boolean FALSE
  remote_listener string LISTENER_ORCL
  Help Plssssssssssss!!!!!!!!

• Unable to establish OSPFv3 neighbors through transparent ASA

  I have 2 devices running IPv6 with an ASA ver 8.4(2) in transparent mode with multiple contexts in between them.  I can ipv6 ping the devices through the ASA but can not get the 2 devices to establish OSPFv3 adjacency.  They are able to establish adjacency with ipv4 OSPF.  When running debug ipv6 ospf hello I see each of the devices sending hellos but not receiving them from the device on the other side of the ASA. I notice that the hellos are coming from the link local addresses and not the unique global addresses that I applied to the interfaces. If I connect a device directly to one of the devices I can establish OSPFv3 adjacency without a problem.
  Any thoughts?
  Bob

  Bob,
  It is expected that OSPF/EIGRP etc use link local rather than unique global ;-)
  Regarding the problem.
  - please enable
  logging buffered infologging buffer-size 1000000
  - and ASP drop capure.
  cap ASP type asp all
  Try establishing the adjacency and check
  show logg sh cap ASP
  I would also try establishing the adjacency without multicast (point-to-multipoint network should allow this).
  Marcin

• Transparent ASA

  Dears,
  I would like to implement the below design , and im wondering if its going to be valid.
  PC(Access vlan 10)-----------SWITCH(SVI Vlan 10 , Vlan 20)------Trunk-------Bridge group 1-----ASA(Transparent)--Bridge group 1-------Trunk----Switch(SVI vlan 10 , Vlan 20)----------------PC(Vlan20)
  I want traffic going from PC vlan 10 to reach PC vlan 20 and at the same time to be inspected by the transparent firewall ASA , i have read in many documents that the 2 interfaces of the firewall should be in different vlan but in my case here i would like to have both interfaces of the ASA as trunk and not to be assigned to a particular vlan , is this doable ??
  Thanks

  A transparent firewall, is a Layer 2 firewall that acts like a "bump in the wire," or a "stealth firewall," and is not seen as a router hop to connected devices. The ASA connects the same network on its inside and outside interfaces.
  Each directly connected network must be on the same subnet.
  Refer this document.
  HTH
  "Please rate helpful posts"

• Transparent ASA and Mac-Address's

  Experts,
      I’ve recently installed a pair of 5525X’s in transparent mode to protect some internal segments.  In reading about transparent mode I thought I read that the ASA will “proxy” the connection when going from the Layer 3 side (North) to the actual physical South side host.  For an “Outside/North” host (vlan 700) to talk to an “Inside/South) host (vlan 800) the ASA will pass it’s mac-address to the outside host (or gateway) as the destination to send the packet.  Prior to building this infrastructure I thought I would see all ARP entries on the Layer 3 (North) side to have a mac-address of the interface of the ASA for all protected hosts.  I do not see that on the SVI interface but do see the real mac-address of the “South” side protected machine. When looking on a protected machine I do see the default-gateway ARP entry to be the actual mac-address of the SVI on the switch and not the mac-address of the ASA which I thought would be the case as well.   Everything is working as advertised (or so I think) as removing or adding ACL’s does limit or allow traffic so it appears to be working.  I’m just checking that my initial assumption of the mac-address of the ASA being on every ARP entry was/is incorrect. From what I can tell the ASA passes the mac-address's from each side of the bridge-group to the other.
  Thanks,
  Ken

  Hi Ken
  Yes, this is correct. In transparent mode, the ASA is effectively a passive device in this perspective. The devices on either side of the ASA will see the "real" MAC addresses.
  Note this behaviour will change if you configure NAT on the ASA.
  HTH.
  Barry Hesk
  Intrinsic Network Solutions

• Transparent ASA BPDU issue

  Hi All
  Hopefully someone will be able to help, I have an ASA running 8.4 in Multi-context transparent mode.
  The problem I am seeing this is passing BPDU (I see this is expect in this mode) which is making the network converge.
  Which is the best way to stop this, I had thought an ACL on the ASA but I think you can have only 1 type.
  Many thanks MJ

  You are right, you cannot mix different types of access lists.
  Here is what I can think as a workaround to achieve your requirement.
  >>Try creating a different access-list to block BPDU and apply it on different interface.
  For eg:
  Say you have two acl:
  access-list 1 ethertype deny bpdu
  access-list 1 ethertype permit any
  access-list 2 extended permit ip any any
  >>you can apply acl 1 at one interface to block bpdu
  >>and acl 2 on the other interface to filter other traffic.
  So, by doing this you will inspecting same traffic flow at two different interfaces by different type of ACLs.
  Hope it helps!!

• Smart call-home setup in ASA with contexts

  Hello,
  I have a problem configuring Smart call home service in an ASA 5500 having contexts.
  The DNS config is available on contexts, however the service is enabled to system. 
  At the moment, following all the cisco's documentations, seems it doesn't work. 
  Any suggestion?
  Thanks.
  Notis

  Let separate what the Cisco back-end can process and what the end device can do.  What your document above indicates is,  "What call home messages can the Cisco backend evaluate, and what processed call  home messages will raise a TAC case automatically?" The Call Home process on the end device sends in Call Home messages to the Cisco backend (aka Smart Call Home) from many sources or triggers. When it says "Alarm type" in the document, it means the source or trigger for the Call Home message.
  But the ASA supports adding syslog matching patterns to the alert group syslog. But it still triggers the same call home message containing "show log" and "show inventory". You can also rate limit the call home messages triggered via syslog with the rate-limit command.
  subscribe-to-alert-group syslog [severity  {catastrophic | disaster | fatal | critical | major  | minor | warning | notification | normal |  debugging} [pattern string]]
  Remember that a profile specifies the transport method and alert group selection. And that multiple profiles can be configured on the device at the same time.
  When you want human readable call home messages, you use the long text message format in the profile. On the other hand, the Cisco backend requires Call Home messages in a certain format (XML), hence the  CiscoTAC-1 restrictive profile.Typically people will copy the CiscoTAC-1 profile into a new unrestrictive profile and then add an additional email address besides [email protected] so they, too, can see the "unprocessed" call home messages.
  Of course, after the Cisco backend processes one of these Call Home messages, depending on the Call Home message, it sends a notification email to the admin for the device telling them it processed a message.

• Transparent ASA 5545X with VLAN trunks

  Hello experts,
  I have a current requirement in that we are to deploy a pair of transparent firewall (active-standby). The active firewall sits between a core switch and an access switch. There is an etherchannel pair (gi0/0 and gi0/1) connecting from the active firewall to the core switch (this interface is named "outside") and a pair of redundant interfaces (gi0/2 and gi0/3) connecting to the access switch (this interface is named "inside").
  The core switch is a VTP master where is hold all the VLANs in the environment and is it possible to trunk the etherchannel link and the redundant link to allow all VLANs through from core switch to the access switch and vice versa? Thank you for your time reading this.

  Hi Joe,
  thanks for the much appreciated help on this. Let me try your suggestion on the firewall:
  access-list myethertypes ethertype permit bpdu
  access-list myethertypes ethertype permit 0x8100
  access-list myethertypes ethertype permit 0x2003
  access-group myethertypes in interface outside
  access-group myethertypes in interface inside
  And on switches end:
  vlan dot1q tag native
  Just a quick question, do I need to create VLANs on the firewall or the firewall will just accept the VLAN-tagged frames from the downstream switch, after which it is filtered by firewall policy and forwarded to the upstream switch? 

• Ip sec setup on asa

  Hi all, can anyone tell me, when creating address pools on my asa for the ip sec clients, why do they have a mask of 255.255.255.255 ?

  hi carl
  are you referring the mask at the client side ?
  from my prev experience though you mention a pool of /24 or any other variant to be used for the remote clients for the client its gonna be a single ip and will be used as gateway ip.
  this is very similar to the ip address assignment process in general dial ups too..
  regds

• ASA Routed/Transparent Mode - Advice

  Hi guys,
  I'm looking for some advice regarding the deployment of an ASA. I have two networks separated by a routed link (layer 3 switch to layer 3 switch). I would like to deploy an ASA between the two networks for increased security. I'm leaning toward transparent mode so I don't have to have an additional IP subnetwork configured, and because deployment seems a little 'easier'.
  I would welcome any feedback.
  Thanks.

  Hi,
  So there is 2 networks which are separated by a routed link between the L3 switches? Have you considered simply moving the LAN and Link networks IP address to a Routed Mode ASAs interfaces when inserting it between these networks or is there something on the L3 switch that prevents this?
  Naturally you can use the ASA in Transparent Mode also. I have not deployed Transparent ASAs as usually the Routed Mode has been required. Even firewalls installed to internal networks (like between factory automation and office networks) have always been in Routed mode.
  Looking at the ASA Configuration Guide the limitations set by the Transparent Mode are not something that would prevent us from using them instead of the current setups. I would imagine that the most important limitation in many setups has usually been the fact that the VPN is not supported in Transparent mode though I guess in your case that would not be a problem.
  The ASA Configuration Guide section on Transparent mode (guidelines/limitations) can be found here:
  http://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/general/asa-general-cli/intro-fw.html#pgfId-1501525
  - Jouni

• QoS in Cisco ASA Transparant

  Guys,
  Can you help me,
  I am confuse about why Cisco ASA Transparant can't support QoS, Do transparant ASA don't traverse traffic with QoS tagging or they (transparant ASA) traverset traffic with QoS but don't support QoS modification/implementation in Cisco like traffic shapping, Queque management ?
  Best Regards,
  Rizal Ferdiyan

  Hi Rizal,
  Packets take a different code path internally when the ASA is in transparent mode versus routed mode and this path does not include QoS support. Your best bet would be to implement this on the switch connected to the ASA, or another device upstream.
  I would also suggest contacting your Cisco account team and asking that a product enhancement request be filed if this is a requirement for you.
  -Mike

• ASA Transparent Mode Deployment Issue

  Could you please be more specific as to what does not work.  How are you testing, from which IP to which IP is not working? Are you able to ping the switch from the ASA Firewall (not the transparent firewall)?
  Please remember to rate and select a correct answer

  Ok after a little research I think I have found a solution for you ( I am leaving out the policy map configs):
  firewall transparent
  hostname ASA-IPS
  interface GigabitEthernet0/0.20
  vlan 20
  nameif Outside2
  bridge-group 2
  security-level 0
  interface GigabitEthernet0/0.10
  vlan 10
  nameif Outside1
  bridge-group 1
  security-level 0
  interface GigabitEthernet0/1.22
  vlan 22
  nameif Inside2
  bridge-group 2
  security-level 100
  interface GigabitEthernet0/1.11
  vlan 11
  nameif Inside1
  bridge-group 1
  security-level 100
  interface BVI1
  ip address 10.10.10.10 255.255.255.0
  interface BVI2
  ip address 10.10.20.10 255.255.255.0
  access-list inside_acl extended permit ip any any
  access-list outside_acl extended permit ip any any
  access-group outside_acl in interface Outside1
  access-group inside_acl in interface Inside1
  access-group outside_acl in interface Outside2
  access-group inside_acl in interface Inside2
  Also make sure that you amend the VLANs on the switch to correspond to the VLANs on the Transparent ASA.
  Please remember to rate and select a correct answer

• ASA 55xx in transparent mode - switch ARP table?

  Guys,
  It's a basic question about how transparent mode firewalls communicate with the connecting switches.
  My understanding is that if I separate the LAN eg. 10.1.1.x with a transparent firewall than it will only "snoop" the traffic and will not change anything in the Ethernet header.
  Is it correct or still will replace the MAC address with the firewall physical interface address to send the frame to the connecting switch?
  e.g.
  client--------->switch------->transparent 5510-------->switch---------->server
  10.1.1.1                                                                                              10.1.1.100
  When the client sends the ARP to look up the hardware address of the server then what will that received back?
  The MAC address of the transparent ASA, or the server?
  Thank you!

  Source MAC address is never changed if the traffic is passing through same IP subnet (vlan). Here the firewall is in transparent mode and if it alter the source mac address communication will not happen. This is a very fundamental network concept. However it may recreate the same frame with same souce/destination mac addresses.