Transparent Firewall with BVI
Hi! I have a question regarding transparent firewalls using BVIs.
Based from the diagram above, ASA1 is in Transparent mode.
Port Gi0 is assigned BVI-1 and port Gi1 is assigned BVI-2.
Is it possible for network 1 to communicate with network 2 ?
The traffic will be passing through Firewall towards the router, The router will do the routing and then forward it back to the firewall then towards network 2?
I am thinking of making port Gi2 of the firewall a trunk and use subinterfaces in order to forward BVI headers to the router.
Hi Franzis,
In transparent mode you can use only two interfaces which have to be on the same subnet:
- The transparent security appliance uses an inside interface and an outside interface only. If your platform includes a dedicated management interface, you can also configure the management interface or subinterface for management traffic only.
In single mode, you can only use two data interfaces (and the dedicated management interface, if available) even if your security appliance includes more than two interfaces.
- Each directly connected network must be on the same subnet.
Source link:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008089f467.shtml
Regards
Mariusz
Similar Messages
-
Transparent firewall with failover with multiple contexts
I am running 8.4(2) on ASA5585s. They are in mulitble context mode and set to transparent firewall with active/active failover. When I do a sh failover in a context I see 2 of my interfaces are (waiting). I have a BVI and these are the ip addresses on the interfaces in he "sh failover" below.
Failover On
Last Failover at: 11:54:39 GMT/IST Feb 23 2012
This context: Standby Ready
Active time: 175394 (sec)
Interface ctxb-inside (x.x.x.165): Normal (Waiting)
Interface ctxb-outside (x.x.x.165): Normal (Monitored)
Peer context: Active
Active time: 11390663 (sec)
Interface ctxb-inside (x.x.x.164): Normal (Monitored)
Interface ctxb-outside (x.x.x.164): Normal (Waiting)
Why are the interfaces in (waiting)?Are you able to ping between the interfaces? ie: can you ping x.x.x.165 from x.x.x.164 and visa versa? If you are not able to ping it, that means there is no connectivity between the 2, hence the status is in Normal (Waiting) because it has not received the hello packet on that corresponding interface.
Here is the reference guide FYI:
http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/s3.html#wp1505709 -
Hi,
We will be deploying 1 firewall with IPS module and 1 transparent firewall with CSC module. please refer to the diagram. is there any concern for this deployment? will it works?
Please adviced.
Thanks.Yes. Absolutely. No problem.
-Kureli -
Cisco Transparent firewall and cisco switch issues.
Dears,
I have a very plain scenario
LAN cisco switch <2 vlans> ----------> cisco transparent firwall with bvi interface ------------> crypto box ---------> cisco router ------ <remote/other site>
i have vlan 61 configured on bvi interface of firewall, crypto box and also on the switch port and vlan of 61 is up up .
The issue is i can connect remotely to cisco transparent firewall but cannot ping or connect to cisco switch. ???????????
Need to know some trobuleshooting tips and basic settings that i need to verify. I simply want lan switch with 2 vlans to pass through the cisco transparent firewall and go to other site/remote site.Well,
i have put the inspection icmp turned on for the sessions , and the version i am using is 9.1
moreover, i have put u p the ACLs for inbound and outboudn traffic, and while i ping across the firewall from the inside interface towards outside interface PC, i can see packet counts increasing on the acl , during the show access-llist command.
i have requested the client to verify his part. do let me know further tips if you have any.
[ moreover we cannot try to use packet-tracer from cli in transparent mode ] -
Can I have multiple different vlans in one Single Mode Transparent Firewall
Hi,
I am about configuring Data Center FW (ver 9.2) to protect multi tier Servers Farm; Web, Applications & Data Base. There is a requirement to set the FW in Transparent Mode, while the license is the base 2-contexts, only.
I wonder if One Single Transparent Context, with different bridge-groups, one for each vlan is a workable solution. I have pasted the configuration of the FW, it may help in understanding the setup.
======
firewall transparent
names
interface TenGigabitEthernet0/8
description To Nx7K-1 Port-8
channel-group 9 mode passive
no shutdown
no nameif
no security-level
interface TenGigabitEthernet0/9
description Nx7K-1 Port-9
channel-group 9 mode passive
no shutdown
no nameif
no security-level
interface TenGigabitEthernet1/8
description Nx7K-2 Port-8
channel-group 9 mode passive
no shutdown
no nameif
no security-level
interface TenGigabitEthernet1/9
description Nx7K-2 Port-9
channel-group 9 mode passive
no shutdown
no nameif
no security-level
interface BVI1
desc Services Zone
ip address x.x.41.250 255.255.255.0
interface BVI2
description WEB-APPS Zone
ip address x.x.42.250 255.255.255.0
interface BVI3
desc Oracle management
ip address x.x.43.250 255.255.255.0
interface BVI4
descr Oracle DB
ip address x.x.44.250 255.255.255.0
interface Port-channel9
description ECLB Trunk to NX7Ks
duplex full
port-channel load-balance src-dst-ip-port
no nameif
no security-level
switchport mode trunk
switchport trunk allowed vlan 41-44,141-144
interface Port-channel9.41
vlan 41
nameif Services-Outside
bridge-group 1
security-level 0
interface Port-channel9.141
description Services-Inside
vlan 141
nameif Services-Inside
bridge-group 1
security-level 100
interface Port-channel9.42
description WEB_APPS-Outside
vlan 42
nameif WEB_APPS-Outside
bridge-group 2
security-level 0
interface Port-channel9.142
description WEB_APPS-Inside
vlan 142
nameif WEB_APPS-Inside
bridge-group 2
security-level 100
interface Port-channel9.43
desc Oracle management
vlan 43
nameif Oracle_Mgmt-Outside
bridge-group 3
security-level 0
interface Port-channel9.143
description Oracle management Inside
vlan 143
nameif Oracle_Mgmt_Inside
bridge-group 3
security-level 100
interface Port-channel9.44
desc Oracle DB
vlan 44
nameif Oracle_DB_Outside
bridge-group 3
security-level 0
interface Port-channel9.144
description Oracle DB Inside
vlan 144
nameif Oracle_DB_Inside
bridge-group 4
security-level 100it is possible but it is not scaleable. If I remember correctly you can only have a maximum of 8 BVI interfaces...so this means you can only have 8 subnets going across the ASA. You would also need seperate VLANs for the inside interface and the outside interface since you can not configure two interfaces to be in the same VLAN, and then assign these interfaces to the appropriate BVI group.
Please remember to select a correct answer and rate helpful posts -
Why use transparent firewall in data center?
I've seen Cisco documentation recommendation transparent mode for firewall deployment in the data center, e.g. 5585X. I understand the key reasons for this are:
- easy "insertion" of firewall in pre-existing network
- speed (since there is no "hair-pinning")
Assume that the above two are not a major concern (i.e. you can redesign your network to have the firewall hold default gateways and your firewall is much more powerful than your needs). Then from a financial perspective, it doesn't seem to make sense to do transparent firewall deployment of the 5585X for the following reasons:
- you are limited to a maximum of 8 bridge-groups
If you really want to follow best practices and implement fine segmentation of your network, you'll need to create 10s or 100s of VLANs and perform access-control on them. This limit of 8 BVIs means that you basically can have only 8 "segments" per context. After that, you have to resort to adding contexts as your grow (contexts introduce their own cost AND complexity).
Am I missing something? Why would Cisco recommend transparent firewall for data center if cost is remotely a concern? I can't seem to find any good documentation justifying this. Thanks in advance for your experiences/insight.Hello Fouzan,
I think you already covered it
good job with the analisys, basically as you said is the hability to place the Transparent mode into the network enviroment , no routing stuff complications, etc , BUT as you said there are limitations,
I would still use the routed mode due to the requirements you set but there will be scenarios when this will not be the case and a bridge-group or 2 will take care of everything so I transparent mode firewall would do it,
Regards -
Transparent design with router on both sides?
I am looking to solve a design which has to work in two scenarios. Preferably with an in-line solution.
1. Transparent design with VRF on both sides:
FW-VRF (Subnet A)
|
| (VLAN 11) | ACE (Subnet A)
|
| (VLAN 12)
|
LAN-VRF
|
| (VLAN 13)
|
Real servers (Subnet B)
2. Transparent design in plain bridge mode
FW-VRF (Subnet A)
|
| (VLAN 11) |
ACE (Subnet A)
|
| (VLAN 12)
|
Real servers (Subnet A)
As mentioned, I am aiming for a single design for both scenarios. A routed design will not pass in the first scenario and a one-arm solution will be inefficient in the second scenario. (both due to existing infrastructure) Is it possible to solve this with a transparent solution in both scenarios? I can't seem to get it to work.
Thanks in advance for any help!I'm gonna expand my question a bit as I can not seem to get a working config in scenario 1. From the ACE I can ping the VRFs on both side of the ACE. I can on the other hand not ping neither the bvi-address of the ACE nor one VRF from the other. Can anyone notice any immediate errors in my config? Thanks in advance for any help!
Addresses:
10.3.66.1 - FW_VRF on client side
10.3.66.6 - LAN_VRF on server side
10.3.66.7 - BVI if on ACE
===Admin===
resource-class TEST_res
limit-resource all minimum 10.00 maximum unlimited
boot system image:c4710ace-mz.A3_2_0.bin
hostname 4710Appl
interface gigabitEthernet 1/1
description Management port
switchport access vlan 752
no shutdown
interface gigabitEthernet 1/2
description Client side LAN
switchport trunk allowed vlan 2522
no shutdown
interface gigabitEthernet 1/3
description Server side LAN
switchport trunk allowed vlan 2524
no shutdown
interface gigabitEthernet 1/4
shutdown
access-list BPDU ethertype permit bpdu
access-list ALL line 8 extended permit ip any any
access-list everyone line 8 extended permit ip any any
access-list everyone line 16 extended permit icmp any any
class-map type management match-any REMOTE_ACCESS
description Remote access traffic match
2 match protocol ssh any
3 match protocol icmp any
4 match protocol snmp any
policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
class REMOTE_ACCESS
permit
interface vlan 752
description Management VLAN
ip address 10.7.52.63 255.255.255.0
service-policy input REMOTE_MGMT_ALLOW_POLICY
no shutdown
ip route 0.0.0.0 0.0.0.0 10.3.66.1
context TEST_context
allocate-interface vlan 752
allocate-interface vlan 2522
allocate-interface vlan 2524
member TEST_res
context TEST_context_routed
username admin password 5 $1$bale5EiS$bEdquz.bbcW3wRcfeSzbu/ role Admin domain
default-domain
username www password 5 $1$bsOdgxav$1uywtkwFEj3QalKaOTrkZ1 role Admin domain de
fault-domain
ssh key rsa 1024 force
===Application context===
access-list ALL line 8 extended permit ip any any
access-list ALL line 16 extended permit icmp any any
class-map type management match-any REMOTE_ACCESS
description Remote access traffic match
2 match protocol ssh any
3 match protocol icmp any
policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
class REMOTE_ACCESS
permit
interface vlan 752
ip address 10.7.52.64 255.255.255.0
service-policy input REMOTE_MGMT_ALLOW_POLICY
no shutdown
interface vlan 2522
description Client side VLAN
bridge-group 1
access-group input ALL
access-group output ALL
no shutdown
interface vlan 2524
description Server side VLAN
bridge-group 1
access-group input ALL
access-group output ALL
no shutdown
interface bvi 1
ip address 10.3.66.7 255.255.255.240
no shutdown
ip route 0.0.0.0 0.0.0.0 10.3.66.1 -
FWSM Transparent firewall query
Customer has over 50 vlans with fwsm inside as below.
WAN --- MSFC ---IDSM-2 --- FWSM --- Inside network (multiple vlans)
Customer wants all internal vlan communication to be inspected by FWSM. What will be the best option - transparent firewall or routed mode and how will this work?
Regards
VinodHi Jon,
Thanks for your valuable suggestion.
My customer has FWSM IDSM and NAM module with 6500 switch and has the following requirement.
1- Inter VLAN communication needs to be protected by FWSM and IDSM (only inline mode). I have never seen IDSM-2 with inline setup in any of my previous HLD's.
2- Customer has collapsed core architecture with access switches terminating at 6509 directly to FWSM (facing inside). With FWSM running inside, I only have 2 options for redundancy. Either use routed mode and run ospf at the access layer (eigrp not supported on FWSM) or run FWSM in transparent mode.
If you have ever faced such scenario, would appreciate if you could share your experience.
Regards
Vinod -
Rule for Control Plane traffic Transparent Firewall
Hi Everyone,
ASA working in routed mode traffic is allowed by default from high security inside to low security outside.
But in case of transparent firewall control plane traffic from inside to outside it is not allowed by default.
Need to know the reason behind this?
IS this due to transparent firewall layer 2?
Regards
MAheshHello Chintan,
the VRF access link where the CE is connected is part of the VRF and isn't a member of the Global Routing Table anymore.
So any possible attempt to build an LDP session cannot impact on the backbone MPLS control plane.
If you want to specify all the acceptable LDP sources in a receive-ACL or in Control plane policing as part of a security plan that will be another matter.
Only on Carrier Supporting Carrier scenario you have an MPLS LDP or BGPv4 with labels session between PE and CE.
Hope to help
Giuseppe -
Transparent mode with AIP-SSM-20
I currently have an ASA5510 in routed mode with an AIP-SSM-20.
There is a requirement to use a fibre optic connection between this ASA and another ASA across campus, so the AIP-SSM will have to be removed and replaced with the SSM-4GE. This part should present no issue.
However, this will remove the IPS device, and I still want to use IPS.
So, what I am thinking is to get another ASA5510, install the AIP-SSM, configure ASA for transparent mode and put it in between the inside of the routed ASA and my LAN. The transparent ASA would be functioning strictly as an IPS appliance.
Setup would look something like this:
Internal LAN <> transparent ASA with IPS <> routed ASA <> WAN
Can the AIP-SSM still perform IPS with the ASA in transparent mode?
Is there a way to configure the ASA and AIP-SSM such that traffic to/from a particular server completely bypasses the AIP-SSM?
I have a couple of fileservers that generate heavy traffic and could overload the AIP-SSM.
Regards.AFAIR, There is no problem to setup AIP in a transparent firewall.
"An ASA in transparent mode can run an AIP. In the event the AIP fails,
the IPS will fail-open and the ASA will continue to pass traffic.
However, if an interface or cable fails, then traffic will stop. You
would need a failover pair to account for this failure event, which
means another ASA and matching AIP."
And no there is no problem to exclude certain hosts/ports/subnets from inspection by IPS via MPF.
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ips.html#wp1050744
What I however consider however is if the ASAs 5510 as second tier firewall for 5520s will be enough.
http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html
HTH,
Marcin -
Transparent Firewall Configuration
I m trying to configure ASA 5540 in transparent firewall mode. The server farm is connected to the inside zone and users are connected to the outside zone on Multiple VLANS routed via Inter-VLAN routing using core switch.
As per Cisco Configuration guidelines for transparent firewall,INSIDE and OUTSIDE ZONE are configured to be in two different VLANS while the gateway ip address of the server farm is configured on the core switch.
The transparent firewall works fine if connected to TWO different switches with ACL permit any any on the outside interface. But if TWO DIFFERENT VLANS ( ex. 111 & 222 ) are configured on the same Catalyst 4500 switch and the inside zone and outside zone ( 222 ) is connected to the respective ASA 5540 interfaces in TRANSPARENT MODE - inside interface to port 3/0/1 in VLAN 111 & Outside Interface to port 3/0/2 in VLAN 222, traffic is not flowing thru.
VLAN 222 USED FOR SERVER FARM CONNECTED TO INSIDE ZONE HAS THE DEFAULT GATEWAY ADDRESS CONFIGURED in the CORE SWITCH under INT VLAN 111 which is connected to OUTSIDE interface of ASA.
Core Switch int gig1/0/1...>vlan 111...>ASA OUTSIDE...>Vlan 222...> server farm in vlan 222
No ARP entries are seen on the inside interface.Ethertype ACL to allow BPDU's on both INSIDE AND OUTSIDE interface of ASA has also been configured.
Can you please provide me guidelines and a step by step procedure to configure ASA 5540 in transparent Firewall mode with INSIDE & OUTSIDE Interface connecting to TWO different VLANS on the same Catalyst SWITCH.
Thanking you in advance,
with best regards
Meenaakshi Sundaram
Network ConsultantHi Kirk,
Yes, you can.
You just have to make sure that you configure only 1 SVI on the switch.
Example:
L3 subnet: 10.1.1.0/24
VLAN 100 -- Inside (ASA) Outside -- VLAN 200
Hosts will all be connected to VLAN 100 on the switch.
ASA inside interface will be connected to VLAN 100 on the switch
ASA outside interface will be connected to VLAN 200 on the switch
Switch should only have 1 SVI - interface vlan 200 (10.1.1.254 for example). Switch should never be configured with SVI on vlan 100 (should not have interface vlan 100).
All hosts would be in the 10.1.1.0/24 subnets with default gateway set to 10.1.1.254.
ASA should only have 2 interfaces (inside - security level 100, and outside - security level 0). They can't be on the same security level.
Hope that helps. -
Configuring management interface in transparent firewall
Hi there,
I know I have been asking basic questions. But I have 5520 with VPN plus license.
This firewall is in transparent mode now. How do I configure the management IP on this( I mean is there a dedicated management interface or what)
Regards,
Yad SinghHi,
Consider ASA in transparent mode just like a Layer 2 Switch , where you would have to define an SVI or IP address for management.
In the Case of ASA device , on ASA 8.2 and before , you can only configure one single IP address for management.
On the ASA 8.4 and above , we have something know as Bridge groups which are configured for the management IP address.
Refer these documents:-
http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/fwmode.html#wp1201980
http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/mode_fw.html#wp1367568
http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/97853-Transparent-firewall.html
Let me know if you have any queries.
Thanks and Regards,
Vibhor Amrodia -
Configuration Required for Transparent Firewall ASA8.2
Dear All,
I have one firewall need to be configured in transparent mode. I have inside and outside router. Can anyone just give me the configuration of transparent firewall ASA8.2 pelase. I didnt find the configuration on Cisco site.
Regards,
Ali.....Dear jcarvaja
Reference made to our previous communication regarding transparent firewall. Following are my full config with your required capture. I can still ping to the managment of ASA from inside and outside. But traffic is not transiting.
Inside Capture
sh capture INSIDE
24 packets captured
1: 00:11:45.244326 802.3 encap packet
2: 00:11:47.289245 802.3 encap packet
3: 00:11:49.233325 802.3 encap packet
4: 00:11:51.264039 802.3 encap packet
5: 00:11:53.258607 802.3 encap packet
6: 00:11:55.293060 802.3 encap packet
7: 00:11:57.339719 802.3 encap packet
8: 00:11:59.331113 802.3 encap packet
9: 00:12:01.343549 802.3 encap packet
10: 00:12:03.335218 802.3 encap packet
11: 00:12:05.349347 802.3 encap packet
12: 00:12:07.393152 802.3 encap packet
13: 00:12:09.117242 arp who-has 7.7.7.3 tell 7.7.7.2
14: 00:12:09.341931 802.3 encap packet
15: 00:12:11.103693 arp who-has 7.7.7.3 tell 7.7.7.2
16: 00:12:11.409341 802.3 encap packet
17: 00:12:13.102198 arp who-has 7.7.7.3 tell 7.7.7.2
18: 00:12:13.412393 802.3 encap packet
19: 00:12:15.088832 arp who-has 7.7.7.3 tell 7.7.7.2
20: 00:12:15.393244 802.3 encap packet
21: 00:12:16.206959 802.3 encap packet
22: 00:12:17.106043 arp who-has 7.7.7.3 tell 7.7.7.2
23: 00:12:17.448661 802.3 encap packet
24: 00:12:19.410760 802.3 encap packet
Outside Capture
1: 00:11:56.916105 802.3 encap packet
2: 00:11:58.879074 802.3 encap packet
3: 00:12:00.938367 802.3 encap packet
4: 00:12:02.893935 802.3 encap packet
5: 00:12:04.935437 802.3 encap packet
6: 00:12:06.927488 802.3 encap packet
7: 00:12:08.875702 802.3 encap packet
8: 00:12:09.117242 arp who-has 7.7.7.3 tell 7.7.7.2
9: 00:12:10.931104 802.3 encap packet
10: 00:12:11.113244 arp who-has 7.7.7.3 tell 7.7.7.2
11: 00:12:12.944088 802.3 encap packet
12: 00:12:13.102198 arp who-has 7.7.7.3 tell 7.7.7.2
13: 00:12:14.933331 802.3 encap packet
14: 00:12:15.088832 arp who-has 7.7.7.3 tell 7.7.7.2
15: 00:12:15.642453 802.3 encap packet
16: 00:12:16.948101 802.3 encap packet
17: 00:12:17.106043 arp who-has 7.7.7.3 tell 7.7.7.2
18: 00:12:18.968348 802.3 encap packet
19: 00:12:20.969066 802.3 encap packet
20: 00:12:22.976695 802.3 encap packet
21: 00:12:25.012572 802.3 encap packet
ASA
: Saved
ASA Version 8.0(2)
firewall transparent
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
interface Ethernet0/0
nameif outside
security-level 0
interface Ethernet0/1
shutdown
no nameif
no security-level
interface Ethernet0/2
shutdown
no nameif
no security-level
interface Ethernet0/3
nameif inside
security-level 100
interface Ethernet0/4
shutdown
no nameif
no security-level
interface Ethernet0/5
shutdown
no nameif
no security-level
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
access-list OUT extended permit icmp any any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address 7.7.7.10 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group OUT in interface outside
access-group OUT in interface inside
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
no crypto isakmp nat-traversal
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
prompt hostname context
Cryptochecksum:00000000000000000000000000000000 -
ECMP through Transparent Firewall
I have an interesting question. We are going to try and run equal-cost multi-pathing through a transparent firewall. There will be two routers on one side and two on the other running eigrp between them. The question is, if a packet leaves one port but the response comes back on a different port, would this cause issues?
I can explain more if needed.Hi,
When you run Equal cost multi path in ASA, you will not get a return packet on a different port. It will not do round robin fashion. Below mentioned excerpt from cisco document will clarify your doubt.
This document provides information on how to configure the Adaptive Security Appliance (ASA) with up to three equal cost routes to the same destination network per interface. The ASA hashes the source and destination IP addresses of the outbound packet to determine which route it will use to determine the next hop for the packet (the ASA does not employ a round-robin algorithm to choose the next hop). As opposed to round-robin load balancing, packets with the same source and destination pair are always sent towards the same next hop, as per the computed hash.
Regards
Karthik -
How does a transparent firewall intercept traffic in order to inspect and filter it? I'm not clear on the physical makeup of the design. If I have a vlan with some hosts I want to protect and connect the inside and outside interfaces of an ASA to the same VLAN, how does the ASA get in between those hosts I want to protect, other hosts on the same VLAN, and their default gateway in the same VLAN? From a cabling perspective I would only be connecting cables of the ASA and the hosts to a switch port that is in a common VLAN. Why would a host go through the firewall? Since it's all layer 2, wouldn't it have to be ARP? I've looked at the ARP scenarios in documentation, but none of it appears to state the firewall proxys ARP in some fashion.
thank you
BillHello Bill,
That is exactly where it goes wrong, you dont have to connect everything on the same vlan, it would be two different logical vlans carrying Layer 2 traffic but with the same IP scheme. For example, consider the following scenario:
Vlan100
192.168.100.0
Inside network---------------Switch----------------Router--------Internet
Now, the main Idea of the ASA firewall is to be inserted on this scenario without having to change the IP scheme, so here is what you do
Vlan100 Vlan101
192.168.100.0 192.168.100.1
Inside network---------------ASA_Firewall------------------Router------Internet
What the ASA is going to do is to bridge packets between the inside network and the router, how? It creates its own mac address table just like a switch and forwards the packets on a layer 2 basis, he knows that the mac-address of the router is located on the outside and the mac address of the inside host is on the inside, so when a requests is going to the mac-address of the router it picks up the packet and it bridges it to the router.
Hope it helps.
Mike
Maybe you are looking for
-
How to connect a printer with Remote Desktop for Mac, version 8
Hello, I use Microsoft Remote Desktop 8.0.3 with my Mac to connect to an application which is based on a Windows Server 2008. I don't find the way to print to my Mac. I don't find the menu for it :-( Same problem to transfert a file from the Windows
-
New browser window not working in Safari or Chrome
I have a new browser window link that works in FF, but not in Safari or Crome. The link is found but does not do anything. Please help, i am slightly desperate here.
-
Problem weblogic 9.2 with quartz and log4j : url-template-config.xml
Hello, I configure a Servlet Quartz to run when WebLogic 9.2 starts, but i have an exception, here is my log : 2009-04-15 11:52:52,424 ERROR Logger.error(): Exception while loading URL templates, /WEB-INF/url-template-config.xml Throwable: javax.serv
-
Trying to make tutorial work..
Hello, I'm working on a very basic flickr tutorial found at adobe labs: http://labs.adobe.com/technologies/flexbuilder2/tutorials/sho_kuwamoto/ Basically, I reproduced the tutorial step by step (so I'd go through all the steps of building this app) a
-
Buttons 'go to URL won't' open in webviewer
Hello I have multiple buttons in my folio, they all work great on iPad, but when i open the folio in the webviewer nothing happens when ik click them. Someone have a solution for my problem? Thx!