Transparent ASA
Dears,
I would like to implement the below design , and im wondering if its going to be valid.
PC(Access vlan 10)-----------SWITCH(SVI Vlan 10 , Vlan 20)------Trunk-------Bridge group 1-----ASA(Transparent)--Bridge group 1-------Trunk----Switch(SVI vlan 10 , Vlan 20)----------------PC(Vlan20)
I want traffic going from PC vlan 10 to reach PC vlan 20 and at the same time to be inspected by the transparent firewall ASA , i have read in many documents that the 2 interfaces of the firewall should be in different vlan but in my case here i would like to have both interfaces of the ASA as trunk and not to be assigned to a particular vlan , is this doable ??
Thanks
A transparent firewall, is a Layer 2 firewall that acts like a "bump in the wire," or a "stealth firewall," and is not seen as a router hop to connected devices. The ASA connects the same network on its inside and outside interfaces.
Each directly connected network must be on the same subnet.
Refer this document.
HTH
"Please rate helpful posts"
Similar Messages
-
Hi,
I'm trying to get started on setting up my first Transparent ASA.
I understand an ASA in Transparent Mode can now have an ip address with Bridge Groups or some such mechanism. I'm looking for examples of how to set that up and other information below.
Is the ip address associated with the device or is it interface specific? Will I be able to SSH with that ip address setup?
Can I use ASDM if the Transparent ASA has an ip address?
This 5512X has an IPS. Anyone who has setup an IPS on this platform knows it has some very particular requirments in order to communicate with the outside world. I need examples of how to do that with a Transparent ASA.
How is NAT setup differently (if at all) on a Transparent ASA?
Are ACLs done any differently?
Any help is apprciated. Examples or links are great.
Thanks.You willl now use Bridge-Groups...
It's especific to a bridge group ( The Ip address) and yes you will be able to ssh, telnet,ASDM to that Ip.
NAT and ACL setup is the same thing.
Here is a quick example I did
interface bvI 10
ip address 192.168.12.1 255.255.255.0
no shut
interface gigabitEthernet 0
nameif outside
no shut
interface gigabitEthernet 0
bridge-group 10
interface gigabitEthernet 1
nameif inside
no shut
bridge-group 10 -
PC not getting IP in transparent ASA
Hi everyone,
ASA 505 is connected to layer 3 switch.
ASA is in transparent mode.
Layer 3 switch has SVI Vlan 20 and also it has dhcp server for vlan 20.
PC connected to transparent switch is not able to get the IP address from layer switch.
I have config the ACL on outside interface of ASA to allow the DHCP reply coming from Switch.
When i assign static IP to PC connected to port eth0/1 of ASA it works fine.
ciscoasa# sh run
: Saved
ASA Version 9.1(1)
firewall transparent
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
switchport access vlan 20
interface Ethernet0/1
switchport access vlan 13
interface Ethernet0/2
shutdown
interface Ethernet0/3
shutdown
interface Ethernet0/4
shutdown
interface Ethernet0/5
shutdown
interface Ethernet0/6
shutdown
interface Ethernet0/7
shutdown
interface Vlan1
no nameif
no security-level
interface Vlan13
nameif inside
bridge-group 1
security-level 100
interface Vlan20
nameif Outside
bridge-group 1
security-level 0
interface BVI1
ip address 192.168.20.59 255.255.255.0
boot system disk0:/asa911-k8.bin
ftp mode passive
object network Broadcast
host 255.255.255.255
object network Dhcp-Server
host 192.168.20.3
access-list inside_access_in extended permit ip any any
access-list Outside_access_in extended permit udp object Dhcp-Server object Broa
dcast eq bootpc log
access-list inside_access_in_1 extended permit ip any any
pager lines 24
mtu Outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-712.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
access-group Outside_access_in in interface Outside
access-group inside_access_in_1 in interface inside
route Outside 0.0.0.0 0.0.0.0 192.168.20.3 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 0.0.0.0 0.0.0.0 Outside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 Outside
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
service-policy global_policy global
prompt hostname context
call-home reporting anonymous prompt 2
Cryptochecksum:cbcb87f40ea45d3bd0b6376e92b5fe8a
: end
ciscoasa# $
ciscoasa#
Thanks
mahesh
Message was edited by: mahesh parmarHi Jouni,
It worked great as always.
I got this ASA Security plus license few days back so trying to learn some concepts in home lab.
Need to undertsand the reason for these 2 ACL
1>access-list OUTSIDE-IN permit icmp host any echo
i already have ICMP under global policy so why we use the above ACL?
Also this ACL has hit counts to 0
2>when we allowed ACL to allow BootPC reply from any host to broadcast address then we we need this second ACL?
access-list OUTSIDE-IN permit udp host 192.168.20.0 255.255.255.0 eq bootpc
This ACL has also hit count to 0
Thanks
mahesh
Message was edited by: mahesh parmar -
Redundant Transparant ASA between Redundant Routed Links
Aparently the Security/Compliance team didn't review my network design before it was submitted and built, and now I have to shoe horn a firewall somewhere there was never supposed to be one.
I have my two current DC Cores (Nexus 5548UP), that currently are Layer 3 only, with no L2 configuration at all. I understand these aren't the best switches for this role, but the BoM was put in place and gear ordered, long before I came onboard, and the DC design had been completed. From these two Cores, i connect directly to a vendor's clustered Fortinet FW, via a /30 from each core to each node of their cluster, and connected via eBGP, one link with a path prepend, due to the vendor not able to figure out how to load balance on their firewall. Due to numerous vendor problems, and lack of knowlege, I cannot get them to change their design in a timely manner, to meet our timelines, and this has to be up yesterday to be PCI compliant (so our security people say) prior to go live in 1 week. The vendor took 3 weeks just to figure out how to aggregate routes to me!.
So I want to drop a transparent pair of firewalls inline on the two links, but due to the Active/Standby limitation of ASA's, I am not sure this will be that easy given the /30 L3 interfaces being used. Secondly the lack of L2 between the two upstream cores may be a concern, at least from past expiriences. I know if I was using some other vendor's clustered FW, this wouldn't be a problem, but I definately don't want to join the Dark side again, or do I have time to procure any other equipment other than the 5520's I currently have laying around. Someone please tell me I have overlooked something simple, and the design listed below will be simple to implement!!!!
Any ideas appreciated!why you don't use this design:
connect the vendor clustered direct to nexus with a vrf instance, then route traffic to asa and then route to nexus whith other vrf istance.
Regards
V. -
Unable to establish OSPFv3 neighbors through transparent ASA
I have 2 devices running IPv6 with an ASA ver 8.4(2) in transparent mode with multiple contexts in between them. I can ipv6 ping the devices through the ASA but can not get the 2 devices to establish OSPFv3 adjacency. They are able to establish adjacency with ipv4 OSPF. When running debug ipv6 ospf hello I see each of the devices sending hellos but not receiving them from the device on the other side of the ASA. I notice that the hellos are coming from the link local addresses and not the unique global addresses that I applied to the interfaces. If I connect a device directly to one of the devices I can establish OSPFv3 adjacency without a problem.
Any thoughts?
BobBob,
It is expected that OSPF/EIGRP etc use link local rather than unique global ;-)
Regarding the problem.
- please enable
logging buffered infologging buffer-size 1000000
- and ASP drop capure.
cap ASP type asp all
Try establishing the adjacency and check
show logg sh cap ASP
I would also try establishing the adjacency without multicast (point-to-multipoint network should allow this).
Marcin -
Transparent ASA and Mac-Address's
Experts,
I’ve recently installed a pair of 5525X’s in transparent mode to protect some internal segments. In reading about transparent mode I thought I read that the ASA will “proxy” the connection when going from the Layer 3 side (North) to the actual physical South side host. For an “Outside/North” host (vlan 700) to talk to an “Inside/South) host (vlan 800) the ASA will pass it’s mac-address to the outside host (or gateway) as the destination to send the packet. Prior to building this infrastructure I thought I would see all ARP entries on the Layer 3 (North) side to have a mac-address of the interface of the ASA for all protected hosts. I do not see that on the SVI interface but do see the real mac-address of the “South” side protected machine. When looking on a protected machine I do see the default-gateway ARP entry to be the actual mac-address of the SVI on the switch and not the mac-address of the ASA which I thought would be the case as well. Everything is working as advertised (or so I think) as removing or adding ACL’s does limit or allow traffic so it appears to be working. I’m just checking that my initial assumption of the mac-address of the ASA being on every ARP entry was/is incorrect. From what I can tell the ASA passes the mac-address's from each side of the bridge-group to the other.
Thanks,
KenHi Ken
Yes, this is correct. In transparent mode, the ASA is effectively a passive device in this perspective. The devices on either side of the ASA will see the "real" MAC addresses.
Note this behaviour will change if you configure NAT on the ASA.
HTH.
Barry Hesk
Intrinsic Network Solutions -
Hi All
Hopefully someone will be able to help, I have an ASA running 8.4 in Multi-context transparent mode.
The problem I am seeing this is passing BPDU (I see this is expect in this mode) which is making the network converge.
Which is the best way to stop this, I had thought an ACL on the ASA but I think you can have only 1 type.
Many thanks MJYou are right, you cannot mix different types of access lists.
Here is what I can think as a workaround to achieve your requirement.
>>Try creating a different access-list to block BPDU and apply it on different interface.
For eg:
Say you have two acl:
access-list 1 ethertype deny bpdu
access-list 1 ethertype permit any
access-list 2 extended permit ip any any
>>you can apply acl 1 at one interface to block bpdu
>>and acl 2 on the other interface to filter other traffic.
So, by doing this you will inspecting same traffic flow at two different interfaces by different type of ACLs.
Hope it helps!! -
Transparent ASA 5545X with VLAN trunks
Hello experts,
I have a current requirement in that we are to deploy a pair of transparent firewall (active-standby). The active firewall sits between a core switch and an access switch. There is an etherchannel pair (gi0/0 and gi0/1) connecting from the active firewall to the core switch (this interface is named "outside") and a pair of redundant interfaces (gi0/2 and gi0/3) connecting to the access switch (this interface is named "inside").
The core switch is a VTP master where is hold all the VLANs in the environment and is it possible to trunk the etherchannel link and the redundant link to allow all VLANs through from core switch to the access switch and vice versa? Thank you for your time reading this.Hi Joe,
thanks for the much appreciated help on this. Let me try your suggestion on the firewall:
access-list myethertypes ethertype permit bpdu
access-list myethertypes ethertype permit 0x8100
access-list myethertypes ethertype permit 0x2003
access-group myethertypes in interface outside
access-group myethertypes in interface inside
And on switches end:
vlan dot1q tag native
Just a quick question, do I need to create VLANs on the firewall or the firewall will just accept the VLAN-tagged frames from the downstream switch, after which it is filtered by firewall policy and forwarded to the upstream switch? -
Guys,
Can you help me,
I am confuse about why Cisco ASA Transparant can't support QoS, Do transparant ASA don't traverse traffic with QoS tagging or they (transparant ASA) traverset traffic with QoS but don't support QoS modification/implementation in Cisco like traffic shapping, Queque management ?
Best Regards,
Rizal FerdiyanHi Rizal,
Packets take a different code path internally when the ASA is in transparent mode versus routed mode and this path does not include QoS support. Your best bet would be to implement this on the switch connected to the ASA, or another device upstream.
I would also suggest contacting your Cisco account team and asking that a product enhancement request be filed if this is a requirement for you.
-Mike -
ASA Routed/Transparent Mode - Advice
Hi guys,
I'm looking for some advice regarding the deployment of an ASA. I have two networks separated by a routed link (layer 3 switch to layer 3 switch). I would like to deploy an ASA between the two networks for increased security. I'm leaning toward transparent mode so I don't have to have an additional IP subnetwork configured, and because deployment seems a little 'easier'.
I would welcome any feedback.
Thanks.Hi,
So there is 2 networks which are separated by a routed link between the L3 switches? Have you considered simply moving the LAN and Link networks IP address to a Routed Mode ASAs interfaces when inserting it between these networks or is there something on the L3 switch that prevents this?
Naturally you can use the ASA in Transparent Mode also. I have not deployed Transparent ASAs as usually the Routed Mode has been required. Even firewalls installed to internal networks (like between factory automation and office networks) have always been in Routed mode.
Looking at the ASA Configuration Guide the limitations set by the Transparent Mode are not something that would prevent us from using them instead of the current setups. I would imagine that the most important limitation in many setups has usually been the fact that the VPN is not supported in Transparent mode though I guess in your case that would not be a problem.
The ASA Configuration Guide section on Transparent mode (guidelines/limitations) can be found here:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/general/asa-general-cli/intro-fw.html#pgfId-1501525
- Jouni -
ASA Transparent Mode Deployment Issue
Could you please be more specific as to what does not work. How are you testing, from which IP to which IP is not working? Are you able to ping the switch from the ASA Firewall (not the transparent firewall)?
Please remember to rate and select a correct answerOk after a little research I think I have found a solution for you ( I am leaving out the policy map configs):
firewall transparent
hostname ASA-IPS
interface GigabitEthernet0/0.20
vlan 20
nameif Outside2
bridge-group 2
security-level 0
interface GigabitEthernet0/0.10
vlan 10
nameif Outside1
bridge-group 1
security-level 0
interface GigabitEthernet0/1.22
vlan 22
nameif Inside2
bridge-group 2
security-level 100
interface GigabitEthernet0/1.11
vlan 11
nameif Inside1
bridge-group 1
security-level 100
interface BVI1
ip address 10.10.10.10 255.255.255.0
interface BVI2
ip address 10.10.20.10 255.255.255.0
access-list inside_acl extended permit ip any any
access-list outside_acl extended permit ip any any
access-group outside_acl in interface Outside1
access-group inside_acl in interface Inside1
access-group outside_acl in interface Outside2
access-group inside_acl in interface Inside2
Also make sure that you amend the VLANs on the switch to correspond to the VLANs on the Transparent ASA.
Please remember to rate and select a correct answer -
ASA 55xx in transparent mode - switch ARP table?
Guys,
It's a basic question about how transparent mode firewalls communicate with the connecting switches.
My understanding is that if I separate the LAN eg. 10.1.1.x with a transparent firewall than it will only "snoop" the traffic and will not change anything in the Ethernet header.
Is it correct or still will replace the MAC address with the firewall physical interface address to send the frame to the connecting switch?
e.g.
client--------->switch------->transparent 5510-------->switch---------->server
10.1.1.1 10.1.1.100
When the client sends the ARP to look up the hardware address of the server then what will that received back?
The MAC address of the transparent ASA, or the server?
Thank you!Source MAC address is never changed if the traffic is passing through same IP subnet (vlan). Here the firewall is in transparent mode and if it alter the source mac address communication will not happen. This is a very fundamental network concept. However it may recreate the same frame with same souce/destination mac addresses.
-
Hi,
it is possible to use the ASA with IPS-Module as sensor only, located with her outside-interface on one mirrored switch-port?
Regards.
VolkerThe outside-interface is for command and control only and can not be used for monitoring.
The SSM is only able to monitor traffic passing through the ASA.
The ASA does not support connecting it's ports to mirrored switch ports either.
The closest you get is to configure the ASA is transparent mode with ACLs on each interface that permit all traffic, and then place the ASA between 2 of your existing devices. And then place a policy on the ASA to copy all packets to the SSM for promiscuous monitoring.
If you have an existing other type of firewall, then you can try placing the transparent ASA between your other firewall and your DMZ switch for example.
All traffic would be passed through the ASA, and be copied to the SSM for promiscuous monitoring.
This mode could best be described as using the ASA as a simulated Tap to send traffic to the SSM. -
Transparent mode with AIP-SSM-20
I currently have an ASA5510 in routed mode with an AIP-SSM-20.
There is a requirement to use a fibre optic connection between this ASA and another ASA across campus, so the AIP-SSM will have to be removed and replaced with the SSM-4GE. This part should present no issue.
However, this will remove the IPS device, and I still want to use IPS.
So, what I am thinking is to get another ASA5510, install the AIP-SSM, configure ASA for transparent mode and put it in between the inside of the routed ASA and my LAN. The transparent ASA would be functioning strictly as an IPS appliance.
Setup would look something like this:
Internal LAN <> transparent ASA with IPS <> routed ASA <> WAN
Can the AIP-SSM still perform IPS with the ASA in transparent mode?
Is there a way to configure the ASA and AIP-SSM such that traffic to/from a particular server completely bypasses the AIP-SSM?
I have a couple of fileservers that generate heavy traffic and could overload the AIP-SSM.
Regards.AFAIR, There is no problem to setup AIP in a transparent firewall.
"An ASA in transparent mode can run an AIP. In the event the AIP fails,
the IPS will fail-open and the ASA will continue to pass traffic.
However, if an interface or cable fails, then traffic will stop. You
would need a failover pair to account for this failure event, which
means another ASA and matching AIP."
And no there is no problem to exclude certain hosts/ports/subnets from inspection by IPS via MPF.
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ips.html#wp1050744
What I however consider however is if the ASAs 5510 as second tier firewall for 5520s will be enough.
http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html
HTH,
Marcin -
IGMP settings on transparent firewall.
What are the requirements for allowing IGMP traffic to pass through a transparent ASA 5550?
I have inherited a configuration that is currently configured to alloww IGMP from any to any and would like to restrict this protocol. On the trusted side I ave a single host configured for multicast and on the untrusted side there is a switch and then router. I do not control the router or switch configuration on the untrusted side.
My questions are:
- Is IGMP allowed through by default?
- Are the ACL entrys "access-list outside-in extended permit igmp any any" and "access-list inside-out extended permit igmp any any"
required to allow IGMP join, query, leave etc...?
- If this is required how do I limit the source and destination ip range?
ThanksIt is really very simple topolgy. single host inside --- my ASA --- other company ASA Outside -- Other company switch then router Inside.
My server acts as both multicast Server and client.
Additional question...
can anyone clarify this statement?
These destination MAC addresses are allowed through the transparent firewall. Any MAC address not on this list is dropped.
IPv4 multicast MAC addresses from 0100.5E00.0000 to 0100.5EFE.FFFF
I assume this follows the same rule as anything else and that it only allows these from a higher number interface to a lower number interface...
Maybe you are looking for
-
Freight condition calculated on header level , not at item level
Hi, I am creating PO with 2 line items.. mat X qty 1 price 100 INR mat Y qty 1 price 100 INR Now i have given freight as 500 INR in header level... My prob is freight is getting calculated based on number of item level... It means if i have 2 item l
-
Grouping Header Rows based on common rows in Details
Hi, I have two tables TAB_MST and TAB_DTL with information like below: {code} CREATE TABLE TAB_MST MSTCOL NUMBER ALTER TABLE TAB_MST ADD CONSTRAINT TAB_MST_PK PRIMARY KEY (MSTCOL) INSERT INTO TAB_MST (MSTCOL) VALUES (1); INSERT INTO TAB_MST (MSTCO
-
Naming conventions, corporate governance standards, etc.
We're beginning the process of setting up the Oracle portal in our company to support over 300 communities of practice as well as several other applications. Getting our corporate governance, naming standards, taxonomy usage guidelines, etc. outlined
-
I have created a test application on apex.oracle.com:- http://apex.oracle.com/pls/otn/f?p=20915:1 On page 1: I have the below process:- ON-Load before header begin if htmldb_collection.collection_exists(p_collection_name=>'test') then htmldb_collecti
-
Cinnamon painfully slow to start after LightDM
Hello, I'm having problems with Cinnamon startup. After I type my password in LightDM, it takes about 10~12 seconds for cinnamon to appear (and arch is installed in a SSD). The applications that come with cinnamon, such as nemo or the control center