Setup Transparent ASA
Hi,
I'm trying to get started on setting up my first Transparent ASA.
I understand an ASA in Transparent Mode can now have an ip address with Bridge Groups or some such mechanism. I'm looking for examples of how to set that up and other information below.
Is the ip address associated with the device or is it interface specific? Will I be able to SSH with that ip address setup?
Can I use ASDM if the Transparent ASA has an ip address?
This 5512X has an IPS. Anyone who has setup an IPS on this platform knows it has some very particular requirments in order to communicate with the outside world. I need examples of how to do that with a Transparent ASA.
How is NAT setup differently (if at all) on a Transparent ASA?
Are ACLs done any differently?
Any help is apprciated. Examples or links are great.
Thanks.
You willl now use Bridge-Groups...
It's especific to a bridge group ( The Ip address) and yes you will be able to ssh, telnet,ASDM to that Ip.
NAT and ACL setup is the same thing.
Here is a quick example I did
interface bvI 10
ip address 192.168.12.1 255.255.255.0
no shut
interface gigabitEthernet 0
nameif outside
no shut
interface gigabitEthernet 0
bridge-group 10
interface gigabitEthernet 1
nameif inside
no shut
bridge-group 10
Similar Messages
-
PC not getting IP in transparent ASA
Hi everyone,
ASA 505 is connected to layer 3 switch.
ASA is in transparent mode.
Layer 3 switch has SVI Vlan 20 and also it has dhcp server for vlan 20.
PC connected to transparent switch is not able to get the IP address from layer switch.
I have config the ACL on outside interface of ASA to allow the DHCP reply coming from Switch.
When i assign static IP to PC connected to port eth0/1 of ASA it works fine.
ciscoasa# sh run
: Saved
ASA Version 9.1(1)
firewall transparent
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 20
interface Ethernet0/1
switchport access vlan 13
interface Ethernet0/2
shutdown
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
interface Vlan1
no nameif
no security-level
interface Vlan13
nameif inside
bridge-group 1
security-level 100
interface Vlan20
nameif Outside
bridge-group 1
security-level 0
interface BVI1
ip address 192.168.20.59 255.255.255.0
boot system disk0:/asa911-k8.bin
ftp mode passive
object network Broadcast
host 255.255.255.255
object network Dhcp-Server
host 192.168.20.3
access-list inside_access_in extended permit ip any any
access-list Outside_access_in extended permit udp object Dhcp-Server object Broa
dcast eq bootpc log
access-list inside_access_in_1 extended permit ip any any
pager lines 24
mtu Outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-712.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
access-group Outside_access_in in interface Outside
access-group inside_access_in_1 in interface inside
route Outside 0.0.0.0 0.0.0.0 192.168.20.3 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 0.0.0.0 0.0.0.0 Outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Outside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
call-home reporting anonymous prompt 2
Cryptochecksum:cbcb87f40ea45d3bd0b6376e92b5fe8a
: end
ciscoasa# $
ciscoasa#
Thanks
mahesh
Message was edited by: mahesh parmarHi Jouni,
It worked great as always.
I got this ASA Security plus license few days back so trying to learn some concepts in home lab.
Need to undertsand the reason for these 2 ACL
1>access-list OUTSIDE-IN permit icmp host any echo
i already have ICMP under global policy so why we use the above ACL?
Also this ACL has hit counts to 0
2>when we allowed ACL to allow BootPC reply from any host to broadcast address then we we need this second ACL?
access-list OUTSIDE-IN permit udp host 192.168.20.0 255.255.255.0 eq bootpc
This ACL has also hit count to 0
Thanks
mahesh
Message was edited by: mahesh parmar -
Redundant Transparant ASA between Redundant Routed Links
Aparently the Security/Compliance team didn't review my network design before it was submitted and built, and now I have to shoe horn a firewall somewhere there was never supposed to be one.
I have my two current DC Cores (Nexus 5548UP), that currently are Layer 3 only, with no L2 configuration at all. I understand these aren't the best switches for this role, but the BoM was put in place and gear ordered, long before I came onboard, and the DC design had been completed. From these two Cores, i connect directly to a vendor's clustered Fortinet FW, via a /30 from each core to each node of their cluster, and connected via eBGP, one link with a path prepend, due to the vendor not able to figure out how to load balance on their firewall. Due to numerous vendor problems, and lack of knowlege, I cannot get them to change their design in a timely manner, to meet our timelines, and this has to be up yesterday to be PCI compliant (so our security people say) prior to go live in 1 week. The vendor took 3 weeks just to figure out how to aggregate routes to me!.
So I want to drop a transparent pair of firewalls inline on the two links, but due to the Active/Standby limitation of ASA's, I am not sure this will be that easy given the /30 L3 interfaces being used. Secondly the lack of L2 between the two upstream cores may be a concern, at least from past expiriences. I know if I was using some other vendor's clustered FW, this wouldn't be a problem, but I definately don't want to join the Dark side again, or do I have time to procure any other equipment other than the 5520's I currently have laying around. Someone please tell me I have overlooked something simple, and the design listed below will be simple to implement!!!!
Any ideas appreciated!why you don't use this design:
connect the vendor clustered direct to nexus with a vrf instance, then route traffic to asa and then route to nexus whith other vrf istance.
Regards
V. -
ORACLE8 OPS 환경에서 FAILOVER SETUP 방법(TRANSPARENT APPLICATION FAILOVER)
제품 : ORACLE SERVER
작성날짜 : 2004-08-13
ORACLE8 OPS 환경에서 FAILOVER SETUP 방법
========================================
SCOPE
Standard Edition 에서는 Real Application Clusters 기능이 10g(10.1.0) 이상 부터 지원이 됩니다.
Explanation
oracle 7 ops (sqlnet v2.3.x 이상)에서는 fail로 인한 failover 지원이 manual
하게 reconnect를 하도록 하여 지원이 되었다. <bulletin 11033 참고>
이는 sql*net기능을 사용하여 connection time failover 기능을 사용하는 경우이다.
하지만, oracle 8 이상 에서는 automatic reconnection이 가능하게 되었다.
즉, run-time failover가 가능하다.
이는 일단 connection이 이루어진 후에 발생하는 모든 failover는
Transparent Application Failover 코드에 의해 처리된다.
다음은 Oracle 8 TAF(Transparent Application Failover) setup 방법이다.
tnsnames.ora file에 다음의 parameter를 지정하여 가능하다.
1. failover_mode : run time 시에 failover가 가능하게 한다.
2. TYPE (Required) : failover 후의 operation을 지정한다.
SESSION - failover 발생 시 새로운 session이 다른 instance에
reconnection되며 이전 session에서의 모든 uncommit된
작업은 rollback 된다.
select도 이어서 진행되지 못한다.
SELECT - failover 발생 시 새로운 session이 다른 instance에
reconnection되며 이 때 long query나 복잡한 query 등의
작업 수행 시 작업이 이어서 진행된다.
단, dml 작업은 rollback된다.
NONE - This is the default. No automatic failover
3. METHOD : 어떻게 failover할지를 지정한다.
BASIC - failover 발생 시에 backup instance(server)로 다시 접속한다.
PRECONNECT - primary instance와 backup instance 두 개에 모두
connection 맺어 놓은 후 failover 시에 backup
instance를 통해 service한다.
***< 중요 > 현재 PRECONNECT는 최소한 8.0.5는 되어야 하며
BASIC은 8.0.6이나 8.1.5에서만 가능하다.
4. BACKUP : failover 시 접속할 instance의 정보를 기술한다.
tnsnames.ora의 alias name을 기술한다.
Example
다음은 tnsnames.ora file의 example이다.
< example 1 >
=========================================================================
node1.WORLD =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(Host = node1)(Port = 1521))
(CONNECT_DATA = (SID = SID1)
(FAILOVER_MODE = (BACKUP = node2)
(TYPE = SELECT )
(METHOD = PRECONNECT))
node2.WORLD =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(Host = node2)(Port = 1521))
(CONNECT_DATA = (SID = SID2)
(FAILOVER_MODE = (BACKUP = node1)
(TYPE = SELECT )
(METHOD = PRECONNECT))
========================================================================
< test 1 >
1) 각 node의 instance를 start한다.
2) 각 node의 listener를 구동한다.
node1% lsnrctl start lsnr_node1
node2% lsnrctl start lsnr_node2
3) node1에서 다음의 작업을 한다.
sqlplus scott/tiger@node1
SQL> select count(*) from emp;
COUNT(*)
14
4) Node1에서 instance를 shutdown abort한다.
5) 3번의 session에서 select를 다시 한다.
SQL> select count(*) from emp;
ERROR at line 1:
ORA-25404: lost instance
다시 select한다.
SQL> select count(*) from emp;
COUNT(*)
14
Data가 node2 instance를 통해 제대로 select되며 이는 failover가 정상적으로
작동됨을 알 수 있다.
< example 2 >
다음은 TAF(Transparent Application Failover) 기능에 SQL*NET의
connection time failover 기능을 추가한 경우이다.
========================================================================
node1.WORLD =
(DESCRIPTION_LIST =
(DESCRIPTION = (ADDRESS = (PROTOCOL= TCP)(Host= node1)(Port= 1521))
(CONNECT_DATA =(SID = SID1)(SERVER=SHARED)
(FAILOVER_MODE = (BACKUP = node2)(TYPE=SESSION)(METHOD=PRECONNECT))))
(DESCRIPTION =(ADDRESS = (PROTOCOL= TCP)(Host= node2)(Port= 1521))
(CONNECT_DATA =(SID = SID2)(SERVER=SHARED)
(FAILOVER_MODE = (BACKUP = node1)(TYPE=SELECT)(METHOD=PRECONNECT))))
node2.WORLD =
(DESCRIPTION_LIST =
(DESCRIPTION =(ADDRESS = (PROTOCOL= TCP)(Host= node2)(Port= 1521))
(CONNECT_DATA =(SID = SID2)(SERVER=SHARED)
(FAILOVER_MODE = (BACKUP = node1)(TYPE=SESSION)(METHOD=PRECONNECT))))
(DESCRIPTION = (ADDRESS = (PROTOCOL= TCP)(Host= node1)(Port= 1521))
(CONNECT_DATA = (SID = SID1)(SERVER=SHARED)
(FAILOVER_MODE = (BACKUP = node2)(TYPE=SELECT)(METHOD=PRECONNECT))))
=======================================================================
< test 2 >
1) 각 node의 instance를 start한다.
2) 각 node의 listener를 구동한다.
node1% lsnrctl start lsnr_node1
node2% lsnrctl start lsnr_node2
3) node1에서 다음의 작업을 한다.
sqlplus scott/tiger@node1
SQL> select count(*) from emp;
COUNT(*)
14
4) Node1에서 instance를 shutdown abort한다.
5) 3번의 session에서 select를 다시 한다.
ORA-25404 error조차 없이 select된다.
SQL> select count(*) from emp;
COUNT(*)
14
Data가 node2 instance를 통해 제대로 select되며 이는 failover가 정상적
으로 작동됨을 알 수 있다.
(참고 1) dedicated 방식의 경우는 shared 대신에 dedicated를 기술한다.
물론 initSID.ora의 mts를 기술하지 않고 tnsnames.ora의 server option을 쓰지
않으면 default로 dedicated 방식을 쓴다.
(참고 2) example 1을 사용할 경우 session 종료 후 재접속 시 자동 failover가
되지는 않는다.
Reference Documents
oracle8 parallel server concepts & administration manualHi,
Many Thanks for your inputs. I created 2 non default listeners LISTENER_ORCL1 and LISTENER_ORCL2 on each node respectively.
I was able to set LISTENER_ORCL as remote listener. But for some reason, the local_listener does not get set. The statement is executed successfully but no changes in the parameters and TAF setup does not work. I initially had the default port number of 1521 for the listener but then changed it to 1522 (to test if it had something to do with default port no) but still no success.
SQL> show parameters listener
NAME TYPE VALUE
local_listener string
mts_listener_address string
mts_multiple_listeners boolean FALSE
remote_listener string LISTENER_ORCL
SQL> alter system set local_listener='LISTENER_ORCL1' SCOPE=BOTH SID='ORCL1';
System altered.
SQL> alter system set local_listener='LISTENER_ORCL2' SCOPE=BOTH SID='ORCL2';
System altered.
SQL> show parameters listener
NAME TYPE VALUE
local_listener string
mts_listener_address string
mts_multiple_listeners boolean FALSE
remote_listener string LISTENER_ORCL
Help Plssssssssssss!!!!!!!! -
Unable to establish OSPFv3 neighbors through transparent ASA
I have 2 devices running IPv6 with an ASA ver 8.4(2) in transparent mode with multiple contexts in between them. I can ipv6 ping the devices through the ASA but can not get the 2 devices to establish OSPFv3 adjacency. They are able to establish adjacency with ipv4 OSPF. When running debug ipv6 ospf hello I see each of the devices sending hellos but not receiving them from the device on the other side of the ASA. I notice that the hellos are coming from the link local addresses and not the unique global addresses that I applied to the interfaces. If I connect a device directly to one of the devices I can establish OSPFv3 adjacency without a problem.
Any thoughts?
BobBob,
It is expected that OSPF/EIGRP etc use link local rather than unique global ;-)
Regarding the problem.
- please enable
logging buffered infologging buffer-size 1000000
- and ASP drop capure.
cap ASP type asp all
Try establishing the adjacency and check
show logg sh cap ASP
I would also try establishing the adjacency without multicast (point-to-multipoint network should allow this).
Marcin -
Dears,
I would like to implement the below design , and im wondering if its going to be valid.
PC(Access vlan 10)-----------SWITCH(SVI Vlan 10 , Vlan 20)------Trunk-------Bridge group 1-----ASA(Transparent)--Bridge group 1-------Trunk----Switch(SVI vlan 10 , Vlan 20)----------------PC(Vlan20)
I want traffic going from PC vlan 10 to reach PC vlan 20 and at the same time to be inspected by the transparent firewall ASA , i have read in many documents that the 2 interfaces of the firewall should be in different vlan but in my case here i would like to have both interfaces of the ASA as trunk and not to be assigned to a particular vlan , is this doable ??
ThanksA transparent firewall, is a Layer 2 firewall that acts like a "bump in the wire," or a "stealth firewall," and is not seen as a router hop to connected devices. The ASA connects the same network on its inside and outside interfaces.
Each directly connected network must be on the same subnet.
Refer this document.
HTH
"Please rate helpful posts" -
Transparent ASA and Mac-Address's
Experts,
I’ve recently installed a pair of 5525X’s in transparent mode to protect some internal segments. In reading about transparent mode I thought I read that the ASA will “proxy” the connection when going from the Layer 3 side (North) to the actual physical South side host. For an “Outside/North” host (vlan 700) to talk to an “Inside/South) host (vlan 800) the ASA will pass it’s mac-address to the outside host (or gateway) as the destination to send the packet. Prior to building this infrastructure I thought I would see all ARP entries on the Layer 3 (North) side to have a mac-address of the interface of the ASA for all protected hosts. I do not see that on the SVI interface but do see the real mac-address of the “South” side protected machine. When looking on a protected machine I do see the default-gateway ARP entry to be the actual mac-address of the SVI on the switch and not the mac-address of the ASA which I thought would be the case as well. Everything is working as advertised (or so I think) as removing or adding ACL’s does limit or allow traffic so it appears to be working. I’m just checking that my initial assumption of the mac-address of the ASA being on every ARP entry was/is incorrect. From what I can tell the ASA passes the mac-address's from each side of the bridge-group to the other.
Thanks,
KenHi Ken
Yes, this is correct. In transparent mode, the ASA is effectively a passive device in this perspective. The devices on either side of the ASA will see the "real" MAC addresses.
Note this behaviour will change if you configure NAT on the ASA.
HTH.
Barry Hesk
Intrinsic Network Solutions -
Hi All
Hopefully someone will be able to help, I have an ASA running 8.4 in Multi-context transparent mode.
The problem I am seeing this is passing BPDU (I see this is expect in this mode) which is making the network converge.
Which is the best way to stop this, I had thought an ACL on the ASA but I think you can have only 1 type.
Many thanks MJYou are right, you cannot mix different types of access lists.
Here is what I can think as a workaround to achieve your requirement.
>>Try creating a different access-list to block BPDU and apply it on different interface.
For eg:
Say you have two acl:
access-list 1 ethertype deny bpdu
access-list 1 ethertype permit any
access-list 2 extended permit ip any any
>>you can apply acl 1 at one interface to block bpdu
>>and acl 2 on the other interface to filter other traffic.
So, by doing this you will inspecting same traffic flow at two different interfaces by different type of ACLs.
Hope it helps!! -
Smart call-home setup in ASA with contexts
Hello,
I have a problem configuring Smart call home service in an ASA 5500 having contexts.
The DNS config is available on contexts, however the service is enabled to system.
At the moment, following all the cisco's documentations, seems it doesn't work.
Any suggestion?
Thanks.
NotisLet separate what the Cisco back-end can process and what the end device can do. What your document above indicates is, "What call home messages can the Cisco backend evaluate, and what processed call home messages will raise a TAC case automatically?" The Call Home process on the end device sends in Call Home messages to the Cisco backend (aka Smart Call Home) from many sources or triggers. When it says "Alarm type" in the document, it means the source or trigger for the Call Home message.
But the ASA supports adding syslog matching patterns to the alert group syslog. But it still triggers the same call home message containing "show log" and "show inventory". You can also rate limit the call home messages triggered via syslog with the rate-limit command.
subscribe-to-alert-group syslog [severity {catastrophic | disaster | fatal | critical | major | minor | warning | notification | normal | debugging} [pattern string]]
Remember that a profile specifies the transport method and alert group selection. And that multiple profiles can be configured on the device at the same time.
When you want human readable call home messages, you use the long text message format in the profile. On the other hand, the Cisco backend requires Call Home messages in a certain format (XML), hence the CiscoTAC-1 restrictive profile.Typically people will copy the CiscoTAC-1 profile into a new unrestrictive profile and then add an additional email address besides [email protected] so they, too, can see the "unprocessed" call home messages.
Of course, after the Cisco backend processes one of these Call Home messages, depending on the Call Home message, it sends a notification email to the admin for the device telling them it processed a message. -
Transparent ASA 5545X with VLAN trunks
Hello experts,
I have a current requirement in that we are to deploy a pair of transparent firewall (active-standby). The active firewall sits between a core switch and an access switch. There is an etherchannel pair (gi0/0 and gi0/1) connecting from the active firewall to the core switch (this interface is named "outside") and a pair of redundant interfaces (gi0/2 and gi0/3) connecting to the access switch (this interface is named "inside").
The core switch is a VTP master where is hold all the VLANs in the environment and is it possible to trunk the etherchannel link and the redundant link to allow all VLANs through from core switch to the access switch and vice versa? Thank you for your time reading this.Hi Joe,
thanks for the much appreciated help on this. Let me try your suggestion on the firewall:
access-list myethertypes ethertype permit bpdu
access-list myethertypes ethertype permit 0x8100
access-list myethertypes ethertype permit 0x2003
access-group myethertypes in interface outside
access-group myethertypes in interface inside
And on switches end:
vlan dot1q tag native
Just a quick question, do I need to create VLANs on the firewall or the firewall will just accept the VLAN-tagged frames from the downstream switch, after which it is filtered by firewall policy and forwarded to the upstream switch? -
Hi all, can anyone tell me, when creating address pools on my asa for the ip sec clients, why do they have a mask of 255.255.255.255 ?
hi carl
are you referring the mask at the client side ?
from my prev experience though you mention a pool of /24 or any other variant to be used for the remote clients for the client its gonna be a single ip and will be used as gateway ip.
this is very similar to the ip address assignment process in general dial ups too..
regds -
ASA Routed/Transparent Mode - Advice
Hi guys,
I'm looking for some advice regarding the deployment of an ASA. I have two networks separated by a routed link (layer 3 switch to layer 3 switch). I would like to deploy an ASA between the two networks for increased security. I'm leaning toward transparent mode so I don't have to have an additional IP subnetwork configured, and because deployment seems a little 'easier'.
I would welcome any feedback.
Thanks.Hi,
So there is 2 networks which are separated by a routed link between the L3 switches? Have you considered simply moving the LAN and Link networks IP address to a Routed Mode ASAs interfaces when inserting it between these networks or is there something on the L3 switch that prevents this?
Naturally you can use the ASA in Transparent Mode also. I have not deployed Transparent ASAs as usually the Routed Mode has been required. Even firewalls installed to internal networks (like between factory automation and office networks) have always been in Routed mode.
Looking at the ASA Configuration Guide the limitations set by the Transparent Mode are not something that would prevent us from using them instead of the current setups. I would imagine that the most important limitation in many setups has usually been the fact that the VPN is not supported in Transparent mode though I guess in your case that would not be a problem.
The ASA Configuration Guide section on Transparent mode (guidelines/limitations) can be found here:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/general/asa-general-cli/intro-fw.html#pgfId-1501525
- Jouni -
Guys,
Can you help me,
I am confuse about why Cisco ASA Transparant can't support QoS, Do transparant ASA don't traverse traffic with QoS tagging or they (transparant ASA) traverset traffic with QoS but don't support QoS modification/implementation in Cisco like traffic shapping, Queque management ?
Best Regards,
Rizal FerdiyanHi Rizal,
Packets take a different code path internally when the ASA is in transparent mode versus routed mode and this path does not include QoS support. Your best bet would be to implement this on the switch connected to the ASA, or another device upstream.
I would also suggest contacting your Cisco account team and asking that a product enhancement request be filed if this is a requirement for you.
-Mike -
ASA Transparent Mode Deployment Issue
Could you please be more specific as to what does not work. How are you testing, from which IP to which IP is not working? Are you able to ping the switch from the ASA Firewall (not the transparent firewall)?
Please remember to rate and select a correct answerOk after a little research I think I have found a solution for you ( I am leaving out the policy map configs):
firewall transparent
hostname ASA-IPS
interface GigabitEthernet0/0.20
vlan 20
nameif Outside2
bridge-group 2
security-level 0
interface GigabitEthernet0/0.10
vlan 10
nameif Outside1
bridge-group 1
security-level 0
interface GigabitEthernet0/1.22
vlan 22
nameif Inside2
bridge-group 2
security-level 100
interface GigabitEthernet0/1.11
vlan 11
nameif Inside1
bridge-group 1
security-level 100
interface BVI1
ip address 10.10.10.10 255.255.255.0
interface BVI2
ip address 10.10.20.10 255.255.255.0
access-list inside_acl extended permit ip any any
access-list outside_acl extended permit ip any any
access-group outside_acl in interface Outside1
access-group inside_acl in interface Inside1
access-group outside_acl in interface Outside2
access-group inside_acl in interface Inside2
Also make sure that you amend the VLANs on the switch to correspond to the VLANs on the Transparent ASA.
Please remember to rate and select a correct answer -
ASA 55xx in transparent mode - switch ARP table?
Guys,
It's a basic question about how transparent mode firewalls communicate with the connecting switches.
My understanding is that if I separate the LAN eg. 10.1.1.x with a transparent firewall than it will only "snoop" the traffic and will not change anything in the Ethernet header.
Is it correct or still will replace the MAC address with the firewall physical interface address to send the frame to the connecting switch?
e.g.
client--------->switch------->transparent 5510-------->switch---------->server
10.1.1.1 10.1.1.100
When the client sends the ARP to look up the hardware address of the server then what will that received back?
The MAC address of the transparent ASA, or the server?
Thank you!Source MAC address is never changed if the traffic is passing through same IP subnet (vlan). Here the firewall is in transparent mode and if it alter the source mac address communication will not happen. This is a very fundamental network concept. However it may recreate the same frame with same souce/destination mac addresses.
Maybe you are looking for
-
I am trying to call a web service using the JPublisher generated pl/sql functions. The function works fine when there is no exception from the web service. However when the web service raises an exception (required by the business logic) I am receivi
-
How to add dynamic column in jfreereport
hi, i am working on a project aboit accounting package. i had created a report in jfreereport .. buti am facing the problem of dynamic column addition in that.. i have to create the number of column as per user given range that will from 2 to 365 i h
-
How do I purchase & download My Wish List?
How do I purchase & download My Wish List?
-
Hi, how to reorder a sequence? Lets say I have a sequence: var s1 = [10,20,30,40,50];and I would like to reorder the sequence by index (the 1st element goes to 2nd position...) var s2 = s1[3,1,2,5,4];to get s2 = 30 10 20 50 40Is there any simple way
-
Associate Business Rules with Workflow
Hi All, We have a planning application, and forms are having some business rules. Now our requirement is, when a user promote his cost center to another user, he should not have the access the Business Rules for that cost center. so, is there any way