Transparent ASA

Similar Messages

• Setup Transparent ASA

  Hi,
  I'm trying to get started on setting up my first Transparent ASA.
  I understand an ASA in Transparent Mode can now have an ip address with Bridge Groups or some such mechanism. I'm looking for examples of how to set that up and other information below.
  Is the ip address associated with the device or is it interface specific? Will I be able to SSH with that ip address setup?
  Can I use ASDM if the Transparent ASA has an ip address?
  This 5512X has an IPS. Anyone who has setup an IPS on this platform knows it has some very particular requirments in order to communicate with the outside world. I need examples of how to do that with a Transparent ASA.
  How is NAT setup differently (if at all) on a Transparent ASA?
  Are ACLs done any differently?
  Any help is apprciated. Examples or links are great.
  Thanks.

  You willl now use Bridge-Groups...
  It's especific to a bridge group ( The Ip address) and yes you will be able to ssh, telnet,ASDM to that Ip.
  NAT and ACL setup is the same thing.
  Here is a quick example I did
  interface bvI 10
  ip address 192.168.12.1 255.255.255.0
  no shut
  interface gigabitEthernet 0
  nameif outside
  no shut
  interface gigabitEthernet 0
  bridge-group 10
  interface gigabitEthernet 1
  nameif inside
  no shut
  bridge-group 10

• PC not getting IP in transparent ASA

  Hi everyone,
  ASA 505 is connected to layer 3 switch.
  ASA is in transparent mode.
  Layer 3 switch has SVI Vlan 20 and also it has dhcp server for vlan 20.
  PC connected to transparent switch  is not able to get the IP address from layer switch.
  I have config the ACL on outside interface of ASA to allow the DHCP reply coming from Switch.
  When i assign static IP to PC connected to port eth0/1 of ASA  it works fine.
  ciscoasa# sh run
  : Saved
  ASA Version 9.1(1)
  firewall transparent
  hostname ciscoasa
  enable password 8Ry2YjIyt7RRXU24 encrypted
  xlate per-session deny tcp any4 any4
  xlate per-session deny tcp any4 any6
  xlate per-session deny tcp any6 any4
  xlate per-session deny tcp any6 any6
  xlate per-session deny udp any4 any4 eq domain
  xlate per-session deny udp any4 any6 eq domain
  xlate per-session deny udp any6 any4 eq domain
  xlate per-session deny udp any6 any6 eq domain
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Ethernet0/0
  switchport access vlan 20
  interface Ethernet0/1
  switchport access vlan 13
  interface Ethernet0/2
  shutdown
  interface Ethernet0/3
  shutdown
  interface Ethernet0/4
  shutdown
  interface Ethernet0/5
  shutdown
  interface Ethernet0/6
  shutdown
  interface Ethernet0/7
  shutdown
  interface Vlan1
  no nameif
  no security-level
  interface Vlan13
  nameif inside
  bridge-group 1
  security-level 100
  interface Vlan20
  nameif Outside
  bridge-group 1
  security-level 0
  interface BVI1
  ip address 192.168.20.59 255.255.255.0
  boot system disk0:/asa911-k8.bin
  ftp mode passive
  object network Broadcast
  host 255.255.255.255
  object network Dhcp-Server
  host 192.168.20.3
  access-list inside_access_in extended permit ip any any
  access-list Outside_access_in extended permit udp object Dhcp-Server object Broa
  dcast eq bootpc log
  access-list inside_access_in_1 extended permit ip any any
  pager lines 24
  mtu Outside 1500
  mtu inside 1500
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-712.bin
  no asdm history enable
  arp timeout 14400
  no arp permit-nonconnected
  access-group Outside_access_in in interface Outside
  access-group inside_access_in_1 in interface inside
  route Outside 0.0.0.0 0.0.0.0 192.168.20.3 1
  timeout xlate 3:00:00
  timeout pat-xlate 0:00:30
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  user-identity default-domain LOCAL
  http server enable
  http 0.0.0.0 0.0.0.0 Outside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec security-association pmtu-aging infinite
  crypto ca trustpool policy
  telnet timeout 5
  ssh 0.0.0.0 0.0.0.0 Outside
  ssh timeout 5
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect icmp
  service-policy global_policy global
  prompt hostname context
  call-home reporting anonymous prompt 2
  Cryptochecksum:cbcb87f40ea45d3bd0b6376e92b5fe8a
  : end
  ciscoasa#                                                                     $
  ciscoasa#
  Thanks
  mahesh
  Message was edited by: mahesh parmar

  Hi Jouni,
  It worked great as always.
  I got this ASA Security plus license few days back so trying to learn some concepts in home lab.
  Need to undertsand the reason for these 2 ACL
  1>access-list OUTSIDE-IN permit icmp host any echo
  i already have ICMP under global policy so why we use the above ACL?
  Also this ACL has hit counts to 0
  2>when we allowed ACL to allow BootPC reply from any host to broadcast address then we we need this second ACL?
  access-list OUTSIDE-IN permit udp host 192.168.20.0 255.255.255.0 eq bootpc
  This ACL has also hit count to 0
  Thanks
  mahesh
  Message was edited by: mahesh parmar

• Redundant Transparant ASA between Redundant Routed Links

  Aparently the Security/Compliance team didn't review my network design before it was submitted and built, and now I have to shoe horn a firewall somewhere there was never supposed to be one.
  I have my two current DC Cores (Nexus 5548UP), that currently are Layer 3 only, with no L2 configuration at all.  I understand these aren't the best switches for this role, but the BoM was put in place and gear ordered, long before I came onboard, and the DC design had been completed.  From these two Cores, i connect directly to a vendor's clustered Fortinet FW, via a /30 from each core to each node of their cluster, and connected via eBGP, one link with a path prepend, due to the vendor not able to figure out how to load balance on their firewall.  Due to numerous vendor problems, and lack of knowlege, I cannot get them to change their design in a timely manner, to meet our timelines, and this has to be up yesterday to be PCI compliant (so our security people say) prior to go live in 1 week.  The vendor took 3 weeks just to figure out how to aggregate routes to me!.
  So I want to drop a transparent pair of firewalls inline on the two links, but due to the Active/Standby limitation of ASA's, I am not sure this will be that easy given the /30 L3 interfaces being used.  Secondly the lack of L2 between the two upstream cores may be a concern, at least from past expiriences.  I know if I was using some other vendor's clustered FW, this wouldn't be a problem, but I definately don't want to join the Dark side again, or do I have time to procure any other equipment other than the 5520's I currently have laying around.  Someone please tell me I have overlooked something simple, and the design listed below will be simple to implement!!!!
  Any ideas appreciated!

  why you don't use this design:
  connect the vendor clustered direct to nexus with a vrf instance, then route traffic to asa and then route to nexus whith other vrf istance.
  Regards
  V.

• Unable to establish OSPFv3 neighbors through transparent ASA

  I have 2 devices running IPv6 with an ASA ver 8.4(2) in transparent mode with multiple contexts in between them.  I can ipv6 ping the devices through the ASA but can not get the 2 devices to establish OSPFv3 adjacency.  They are able to establish adjacency with ipv4 OSPF.  When running debug ipv6 ospf hello I see each of the devices sending hellos but not receiving them from the device on the other side of the ASA. I notice that the hellos are coming from the link local addresses and not the unique global addresses that I applied to the interfaces. If I connect a device directly to one of the devices I can establish OSPFv3 adjacency without a problem.
  Any thoughts?
  Bob

  Bob,
  It is expected that OSPF/EIGRP etc use link local rather than unique global ;-)
  Regarding the problem.
  - please enable
  logging buffered infologging buffer-size 1000000
  - and ASP drop capure.
  cap ASP type asp all
  Try establishing the adjacency and check
  show logg sh cap ASP
  I would also try establishing the adjacency without multicast (point-to-multipoint network should allow this).
  Marcin

• Transparent ASA and Mac-Address's

  Experts,
      I’ve recently installed a pair of 5525X’s in transparent mode to protect some internal segments.  In reading about transparent mode I thought I read that the ASA will “proxy” the connection when going from the Layer 3 side (North) to the actual physical South side host.  For an “Outside/North” host (vlan 700) to talk to an “Inside/South) host (vlan 800) the ASA will pass it’s mac-address to the outside host (or gateway) as the destination to send the packet.  Prior to building this infrastructure I thought I would see all ARP entries on the Layer 3 (North) side to have a mac-address of the interface of the ASA for all protected hosts.  I do not see that on the SVI interface but do see the real mac-address of the “South” side protected machine. When looking on a protected machine I do see the default-gateway ARP entry to be the actual mac-address of the SVI on the switch and not the mac-address of the ASA which I thought would be the case as well.   Everything is working as advertised (or so I think) as removing or adding ACL’s does limit or allow traffic so it appears to be working.  I’m just checking that my initial assumption of the mac-address of the ASA being on every ARP entry was/is incorrect. From what I can tell the ASA passes the mac-address's from each side of the bridge-group to the other.
  Thanks,
  Ken

  Hi Ken
  Yes, this is correct. In transparent mode, the ASA is effectively a passive device in this perspective. The devices on either side of the ASA will see the "real" MAC addresses.
  Note this behaviour will change if you configure NAT on the ASA.
  HTH.
  Barry Hesk
  Intrinsic Network Solutions

• Transparent ASA BPDU issue

  Hi All
  Hopefully someone will be able to help, I have an ASA running 8.4 in Multi-context transparent mode.
  The problem I am seeing this is passing BPDU (I see this is expect in this mode) which is making the network converge.
  Which is the best way to stop this, I had thought an ACL on the ASA but I think you can have only 1 type.
  Many thanks MJ

  You are right, you cannot mix different types of access lists.
  Here is what I can think as a workaround to achieve your requirement.
  >>Try creating a different access-list to block BPDU and apply it on different interface.
  For eg:
  Say you have two acl:
  access-list 1 ethertype deny bpdu
  access-list 1 ethertype permit any
  access-list 2 extended permit ip any any
  >>you can apply acl 1 at one interface to block bpdu
  >>and acl 2 on the other interface to filter other traffic.
  So, by doing this you will inspecting same traffic flow at two different interfaces by different type of ACLs.
  Hope it helps!!

• Transparent ASA 5545X with VLAN trunks

  Hello experts,
  I have a current requirement in that we are to deploy a pair of transparent firewall (active-standby). The active firewall sits between a core switch and an access switch. There is an etherchannel pair (gi0/0 and gi0/1) connecting from the active firewall to the core switch (this interface is named "outside") and a pair of redundant interfaces (gi0/2 and gi0/3) connecting to the access switch (this interface is named "inside").
  The core switch is a VTP master where is hold all the VLANs in the environment and is it possible to trunk the etherchannel link and the redundant link to allow all VLANs through from core switch to the access switch and vice versa? Thank you for your time reading this.

  Hi Joe,
  thanks for the much appreciated help on this. Let me try your suggestion on the firewall:
  access-list myethertypes ethertype permit bpdu
  access-list myethertypes ethertype permit 0x8100
  access-list myethertypes ethertype permit 0x2003
  access-group myethertypes in interface outside
  access-group myethertypes in interface inside
  And on switches end:
  vlan dot1q tag native
  Just a quick question, do I need to create VLANs on the firewall or the firewall will just accept the VLAN-tagged frames from the downstream switch, after which it is filtered by firewall policy and forwarded to the upstream switch? 

• QoS in Cisco ASA Transparant

  Guys,
  Can you help me,
  I am confuse about why Cisco ASA Transparant can't support QoS, Do transparant ASA don't traverse traffic with QoS tagging or they (transparant ASA) traverset traffic with QoS but don't support QoS modification/implementation in Cisco like traffic shapping, Queque management ?
  Best Regards,
  Rizal Ferdiyan

  Hi Rizal,
  Packets take a different code path internally when the ASA is in transparent mode versus routed mode and this path does not include QoS support. Your best bet would be to implement this on the switch connected to the ASA, or another device upstream.
  I would also suggest contacting your Cisco account team and asking that a product enhancement request be filed if this is a requirement for you.
  -Mike

• ASA Routed/Transparent Mode - Advice

  Hi guys,
  I'm looking for some advice regarding the deployment of an ASA. I have two networks separated by a routed link (layer 3 switch to layer 3 switch). I would like to deploy an ASA between the two networks for increased security. I'm leaning toward transparent mode so I don't have to have an additional IP subnetwork configured, and because deployment seems a little 'easier'.
  I would welcome any feedback.
  Thanks.

  Hi,
  So there is 2 networks which are separated by a routed link between the L3 switches? Have you considered simply moving the LAN and Link networks IP address to a Routed Mode ASAs interfaces when inserting it between these networks or is there something on the L3 switch that prevents this?
  Naturally you can use the ASA in Transparent Mode also. I have not deployed Transparent ASAs as usually the Routed Mode has been required. Even firewalls installed to internal networks (like between factory automation and office networks) have always been in Routed mode.
  Looking at the ASA Configuration Guide the limitations set by the Transparent Mode are not something that would prevent us from using them instead of the current setups. I would imagine that the most important limitation in many setups has usually been the fact that the VPN is not supported in Transparent mode though I guess in your case that would not be a problem.
  The ASA Configuration Guide section on Transparent mode (guidelines/limitations) can be found here:
  http://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/general/asa-general-cli/intro-fw.html#pgfId-1501525
  - Jouni

• ASA Transparent Mode Deployment Issue

  Could you please be more specific as to what does not work.  How are you testing, from which IP to which IP is not working? Are you able to ping the switch from the ASA Firewall (not the transparent firewall)?
  Please remember to rate and select a correct answer

  Ok after a little research I think I have found a solution for you ( I am leaving out the policy map configs):
  firewall transparent
  hostname ASA-IPS
  interface GigabitEthernet0/0.20
  vlan 20
  nameif Outside2
  bridge-group 2
  security-level 0
  interface GigabitEthernet0/0.10
  vlan 10
  nameif Outside1
  bridge-group 1
  security-level 0
  interface GigabitEthernet0/1.22
  vlan 22
  nameif Inside2
  bridge-group 2
  security-level 100
  interface GigabitEthernet0/1.11
  vlan 11
  nameif Inside1
  bridge-group 1
  security-level 100
  interface BVI1
  ip address 10.10.10.10 255.255.255.0
  interface BVI2
  ip address 10.10.20.10 255.255.255.0
  access-list inside_acl extended permit ip any any
  access-list outside_acl extended permit ip any any
  access-group outside_acl in interface Outside1
  access-group inside_acl in interface Inside1
  access-group outside_acl in interface Outside2
  access-group inside_acl in interface Inside2
  Also make sure that you amend the VLANs on the switch to correspond to the VLANs on the Transparent ASA.
  Please remember to rate and select a correct answer

• ASA 55xx in transparent mode - switch ARP table?

  Guys,
  It's a basic question about how transparent mode firewalls communicate with the connecting switches.
  My understanding is that if I separate the LAN eg. 10.1.1.x with a transparent firewall than it will only "snoop" the traffic and will not change anything in the Ethernet header.
  Is it correct or still will replace the MAC address with the firewall physical interface address to send the frame to the connecting switch?
  e.g.
  client--------->switch------->transparent 5510-------->switch---------->server
  10.1.1.1                                                                                              10.1.1.100
  When the client sends the ARP to look up the hardware address of the server then what will that received back?
  The MAC address of the transparent ASA, or the server?
  Thank you!

  Source MAC address is never changed if the traffic is passing through same IP subnet (vlan). Here the firewall is in transparent mode and if it alter the source mac address communication will not happen. This is a very fundamental network concept. However it may recreate the same frame with same souce/destination mac addresses.
   

• ASA using only for IPS?

  Hi,
  it is possible to use the ASA with IPS-Module as sensor only, located with her outside-interface on one mirrored switch-port?
  Regards.
  Volker

  The outside-interface is for command and control only and can not be used for monitoring.
  The SSM is only able to monitor traffic passing through the ASA.
  The ASA does not support connecting it's ports to mirrored switch ports either.
  The closest you get is to configure the ASA is transparent mode with ACLs on each interface that permit all traffic, and then place the ASA between 2 of your existing devices. And then place a policy on the ASA to copy all packets to the SSM for promiscuous monitoring.
  If you have an existing other type of firewall, then you can try placing the transparent ASA between your other firewall and your DMZ switch for example.
  All traffic would be passed through the ASA, and be copied to the SSM for promiscuous monitoring.
  This mode could best be described as using the ASA as a simulated Tap to send traffic to the SSM.

• Transparent mode with AIP-SSM-20

  I currently have an ASA5510 in routed mode with an AIP-SSM-20.
  There is a requirement to use a fibre optic connection between this ASA and another ASA across campus, so the AIP-SSM will have to be removed and replaced with the SSM-4GE.  This part should present no issue.
  However, this will remove the IPS device, and I still want to use IPS.
  So, what I am thinking is to get another ASA5510, install the AIP-SSM, configure ASA for transparent mode and put it in between the inside of the routed ASA and my LAN.  The transparent ASA would be functioning strictly as an IPS appliance.
  Setup would look something like this:
  Internal LAN <> transparent ASA with IPS <> routed ASA <> WAN
  Can the AIP-SSM still perform IPS with the ASA in transparent mode?
  Is there a way to configure the ASA and AIP-SSM such that traffic to/from a particular server completely bypasses the AIP-SSM?
  I have a couple of fileservers that generate heavy traffic and could overload the AIP-SSM.
  Regards.

  AFAIR, There is no problem to setup AIP in a transparent firewall.
  "An ASA in transparent mode can run an AIP.  In the event the AIP fails,
  the IPS will fail-open and the ASA will continue to pass traffic.
  However, if an interface or cable fails, then traffic will stop.  You
  would need a failover pair to account for this failure event, which
  means another ASA and matching AIP."
  And no there is no problem to exclude certain hosts/ports/subnets from inspection by IPS via MPF.
  http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ips.html#wp1050744
  What I however consider however is if the ASAs 5510 as second tier firewall for 5520s will be enough.
  http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html
  HTH,
  Marcin

• IGMP settings on transparent firewall.

  What are the requirements for allowing IGMP traffic to pass through a transparent ASA 5550?
  I have inherited a configuration that is currently configured to alloww IGMP from any to any and would like to restrict this protocol.  On the trusted side I ave a single host configured for multicast and on the untrusted side there is a switch and then router.  I do not control the router or switch configuration on the untrusted side.
  My questions are:
  -  Is IGMP allowed through by default?
  -  Are the ACL entrys   "access-list outside-in extended permit igmp any any" and "access-list inside-out extended permit igmp any any"
     required to allow IGMP join, query, leave etc...?
  - If this is required how do I limit the source and destination ip range?
  Thanks

  It is really very simple topolgy.    single host inside ---  my ASA --- other company ASA Outside --  Other company switch  then router Inside.
  My server acts as both multicast Server and client.
  Additional question...
  can anyone clarify this statement? 
  These destination MAC addresses are allowed through the transparent firewall. Any MAC address not on this list is dropped.
  IPv4 multicast MAC addresses from 0100.5E00.0000 to 0100.5EFE.FFFF
  I assume this follows the same rule as anything else and that it only allows these from a higher number interface to a lower number interface...