Transparent Firewall with BVI

Hi! I have a question regarding transparent firewalls using BVIs.
Based from the diagram above, ASA1 is in Transparent mode.
Port Gi0 is assigned BVI-1 and port Gi1 is assigned BVI-2.
Is it possible for network 1 to communicate with network 2 ?
The traffic will be passing through Firewall towards the router, The router will do the routing and then forward it back to the firewall then towards network 2?
I am thinking of making port Gi2 of the firewall a trunk and use subinterfaces in order to forward BVI headers to the router.

Hi Franzis,
In transparent mode you can use only two interfaces which have to be on the same subnet:
- The transparent security appliance uses an inside interface and an outside interface only. If your platform includes a dedicated management interface, you can also configure the management interface or subinterface for management traffic only.
In single mode, you can only use two data interfaces (and the dedicated management interface, if available) even if your security appliance includes more than two interfaces.
- Each directly connected network must be on the same subnet.
Source link:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008089f467.shtml
Regards
Mariusz

Similar Messages

  • Transparent firewall with failover with multiple contexts

                       I am running 8.4(2) on ASA5585s. They are in mulitble context mode and set to transparent firewall with active/active failover. When I do a sh failover in a context I see 2 of my interfaces are (waiting). I have a BVI and these are the ip addresses on the interfaces in he "sh failover" below.
    Failover On
    Last Failover at: 11:54:39 GMT/IST Feb 23 2012
            This context: Standby Ready
                    Active time: 175394 (sec)
                      Interface ctxb-inside (x.x.x.165): Normal (Waiting)
                      Interface ctxb-outside (x.x.x.165): Normal (Monitored)
            Peer context: Active
                    Active time: 11390663 (sec)
                      Interface ctxb-inside (x.x.x.164): Normal (Monitored)
                      Interface ctxb-outside (x.x.x.164): Normal (Waiting)
    Why are the interfaces in (waiting)?

    Are you able to ping between the interfaces? ie: can you ping x.x.x.165 from x.x.x.164 and visa versa? If you are not able to ping it, that means there is no connectivity between the 2, hence the status is in Normal (Waiting) because it has not received the hello packet on that corresponding interface.
    Here is the reference guide FYI:
    http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/s3.html#wp1505709

  • Transparent firewall with CSC

    Hi,
    We will be deploying 1 firewall with IPS module and 1 transparent  firewall with CSC module. please refer to the diagram. is there any concern for this deployment? will it works?
    Please adviced.
    Thanks.

    Yes. Absolutely. No problem.
    -Kureli

  • Cisco Transparent firewall and cisco switch issues.

    Dears,
    I have a very plain scenario
     LAN cisco switch <2 vlans>  ----------> cisco transparent firwall with bvi interface ------------>  crypto box ---------> cisco router ------ <remote/other site>
    i have vlan 61 configured on bvi interface of firewall, crypto box and also on the switch port and vlan of 61 is up up .
    The issue is i can connect remotely to cisco transparent firewall but cannot ping or connect to cisco switch. ???????????
    Need to know some trobuleshooting tips and basic settings that i need to verify. I simply want lan switch with 2 vlans to pass through the cisco transparent firewall and go to other site/remote site.

    Well,
    i have put the inspection icmp turned on for the sessions , and the version i am using is 9.1 
    moreover, i have put u p the ACLs for inbound and outboudn traffic, and while i ping across the firewall from the inside interface towards outside interface PC, i can see packet counts increasing on the acl , during the show access-llist command.
    i have requested the client to verify his part. do let me know further tips if you have any.
    [ moreover we cannot try to use packet-tracer from cli in transparent mode ]

  • Can I have multiple different vlans in one Single Mode Transparent Firewall

    Hi,
    I am about configuring Data Center FW (ver 9.2) to protect multi tier Servers Farm; Web, Applications & Data Base. There is a requirement to set the FW in Transparent Mode, while the license is the base 2-contexts, only.
    I wonder if One Single Transparent Context, with different bridge-groups, one for each vlan is a workable solution. I have pasted the configuration of the FW, it may help in understanding the setup.
    ======
    firewall transparent
    names
    interface TenGigabitEthernet0/8
     description To Nx7K-1 Port-8
     channel-group 9 mode passive
     no shutdown
     no nameif
     no security-level
    interface TenGigabitEthernet0/9
     description Nx7K-1 Port-9
     channel-group 9 mode passive
     no shutdown
     no nameif
     no security-level
    interface TenGigabitEthernet1/8
     description Nx7K-2 Port-8
     channel-group 9 mode passive
     no shutdown
     no nameif
     no security-level
    interface TenGigabitEthernet1/9
     description Nx7K-2 Port-9
     channel-group 9 mode passive
     no shutdown
     no nameif
     no security-level
    interface BVI1
     desc Services Zone
     ip address x.x.41.250 255.255.255.0
    interface BVI2
     description WEB-APPS Zone
     ip address x.x.42.250 255.255.255.0
    interface BVI3
     desc Oracle management
    ip address x.x.43.250 255.255.255.0
    interface BVI4
     descr Oracle DB
     ip address x.x.44.250 255.255.255.0
    interface Port-channel9
     description ECLB Trunk to NX7Ks
     duplex full
     port-channel load-balance src-dst-ip-port
     no nameif
     no security-level
    switchport mode trunk
    switchport trunk allowed vlan 41-44,141-144
    interface Port-channel9.41
     vlan 41
     nameif Services-Outside
     bridge-group 1
     security-level 0
    interface Port-channel9.141
     description Services-Inside
     vlan 141
     nameif Services-Inside
     bridge-group 1
     security-level 100
    interface Port-channel9.42
    description WEB_APPS-Outside
     vlan 42
    nameif WEB_APPS-Outside
     bridge-group 2
     security-level 0
    interface Port-channel9.142
     description WEB_APPS-Inside
     vlan 142
     nameif WEB_APPS-Inside
     bridge-group 2
     security-level 100
    interface Port-channel9.43
    desc Oracle management
     vlan 43
     nameif Oracle_Mgmt-Outside
     bridge-group 3
     security-level 0
    interface Port-channel9.143
     description Oracle management Inside
     vlan 143
     nameif Oracle_Mgmt_Inside
     bridge-group 3
     security-level 100
    interface Port-channel9.44
    desc Oracle DB
     vlan 44
     nameif Oracle_DB_Outside
     bridge-group 3
     security-level 0
    interface Port-channel9.144
     description Oracle DB Inside
     vlan 144
     nameif Oracle_DB_Inside
     bridge-group 4
     security-level 100

    it is possible but it is not scaleable.  If I remember correctly you can only have a maximum of 8 BVI interfaces...so this means you can only have 8 subnets going across the ASA.  You would also need seperate VLANs for the inside interface and the outside interface since you can not configure two interfaces to be in the same VLAN, and then assign these interfaces to the appropriate BVI group.
    Please remember to select a correct answer and rate helpful posts

  • Why use transparent firewall in data center?

    I've seen Cisco documentation recommendation transparent mode for firewall deployment in the data center, e.g. 5585X. I understand the key reasons for this are:
    - easy "insertion" of firewall in pre-existing network
    - speed (since there is no "hair-pinning")
    Assume that the above two are not a major concern (i.e. you can redesign your network to have the firewall hold default gateways and your firewall is much more powerful than your needs). Then from a financial perspective, it doesn't seem to make sense to do transparent firewall deployment of the 5585X for the following reasons:
    - you are limited to a maximum of 8 bridge-groups
    If you really want to follow best practices and implement fine segmentation of your network, you'll need to create 10s or 100s of VLANs and perform access-control on them. This limit of 8 BVIs means that you basically can have only 8 "segments" per context. After that, you have to resort to adding contexts as your grow (contexts introduce their own cost AND complexity).
    Am I missing something? Why would Cisco recommend transparent firewall for data center if cost is remotely a concern? I can't seem to find any good documentation justifying this. Thanks in advance for your experiences/insight.

    Hello Fouzan,
    I think you already covered it
    good job with the analisys, basically as you said is the hability to place the Transparent mode into the network enviroment , no routing stuff complications, etc , BUT as you said there are limitations,
    I would still use the routed mode due to the requirements you set but there will be scenarios when this will not be the case and a bridge-group or 2 will take care of everything so I transparent mode firewall would do it,
    Regards

  • Transparent design with router on both sides?

    I am looking to solve a design which has to work in two scenarios. Preferably with an in-line solution.
    1. Transparent design with VRF on both sides:
    FW-VRF (Subnet A)
          |
          | (VLAN 11)      | ACE (Subnet A)
          |
          | (VLAN 12)
          |
    LAN-VRF
          |
          |  (VLAN 13)
          |
    Real servers (Subnet B)
    2. Transparent design in plain bridge mode
    FW-VRF (Subnet A)
          |
          | (VLAN 11)      |
       ACE (Subnet A)
          |
          | (VLAN 12)
          |
    Real servers (Subnet A)
    As mentioned, I am aiming for a single design for both scenarios. A routed design will not pass in the first scenario and a one-arm solution will be inefficient in the second scenario. (both due to existing infrastructure) Is it possible to solve this with a transparent solution in both scenarios? I can't seem to get it to work.
    Thanks in advance for any help!

    I'm gonna expand my question a bit as I can not seem to get a working config in scenario 1. From the ACE I can ping the VRFs on both side of the ACE. I can on the other hand not ping neither the bvi-address of the ACE nor one VRF from the other. Can anyone notice any immediate errors in my config? Thanks in advance for any help!
    Addresses:
    10.3.66.1 - FW_VRF on client side
    10.3.66.6 - LAN_VRF on server side
    10.3.66.7 - BVI if on ACE
    ===Admin===
    resource-class TEST_res
    limit-resource all minimum 10.00 maximum unlimited
    boot system image:c4710ace-mz.A3_2_0.bin
    hostname 4710Appl
    interface gigabitEthernet 1/1
    description Management port
    switchport access vlan 752
    no shutdown
    interface gigabitEthernet 1/2
    description Client side LAN
    switchport trunk allowed vlan 2522
    no shutdown
    interface gigabitEthernet 1/3
    description Server side LAN
    switchport trunk allowed vlan 2524
    no shutdown
    interface gigabitEthernet 1/4
    shutdown
    access-list BPDU ethertype permit bpdu
    access-list ALL line 8 extended permit ip any any
    access-list everyone line 8 extended permit ip any any
    access-list everyone line 16 extended permit icmp any any
    class-map type management match-any REMOTE_ACCESS
    description Remote access traffic match
    2 match protocol ssh any
    3 match protocol icmp any
    4 match protocol snmp any
    policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
    class REMOTE_ACCESS
    permit
    interface vlan 752
    description Management VLAN
    ip address 10.7.52.63 255.255.255.0
    service-policy input REMOTE_MGMT_ALLOW_POLICY
    no shutdown
    ip route 0.0.0.0 0.0.0.0 10.3.66.1
    context TEST_context
    allocate-interface vlan 752
    allocate-interface vlan 2522
    allocate-interface vlan 2524
    member TEST_res
    context TEST_context_routed
    username admin password 5 $1$bale5EiS$bEdquz.bbcW3wRcfeSzbu/  role Admin domain
    default-domain
    username www password 5 $1$bsOdgxav$1uywtkwFEj3QalKaOTrkZ1  role Admin domain de
    fault-domain
    ssh key rsa 1024 force
    ===Application context===
    access-list ALL line 8 extended permit ip any any
    access-list ALL line 16 extended permit icmp any any
    class-map type management match-any REMOTE_ACCESS
    description Remote access traffic match
    2 match protocol ssh any
    3 match protocol icmp any
    policy-map type management first-match REMOTE_MGMT_ALLOW_POLICY
    class REMOTE_ACCESS
    permit
    interface vlan 752
    ip address 10.7.52.64 255.255.255.0
    service-policy input REMOTE_MGMT_ALLOW_POLICY
    no shutdown
    interface vlan 2522
    description Client side VLAN
    bridge-group 1
    access-group input ALL
    access-group output ALL
    no shutdown
    interface vlan 2524
    description Server side VLAN
    bridge-group 1
    access-group input ALL
    access-group output ALL
    no shutdown
    interface bvi 1
    ip address 10.3.66.7 255.255.255.240
    no shutdown
    ip route 0.0.0.0 0.0.0.0 10.3.66.1

  • FWSM Transparent firewall query

    Customer has over 50 vlans with fwsm inside as below.
    WAN --- MSFC ---IDSM-2 --- FWSM --- Inside network (multiple vlans)
    Customer wants all internal vlan communication to be inspected by FWSM. What will be the best option - transparent firewall or routed mode and how will this work?
    Regards
    Vinod

    Hi Jon,
    Thanks for your valuable suggestion.
    My customer has FWSM IDSM and NAM module with 6500 switch and has the following requirement.
    1- Inter VLAN communication needs to be protected by FWSM and IDSM (only inline mode). I have never seen IDSM-2 with inline setup in any of my previous HLD's.
    2- Customer has collapsed core architecture with access switches terminating at 6509 directly to FWSM (facing inside). With FWSM running inside, I only have 2 options for redundancy. Either use routed mode and run ospf at the access layer (eigrp not supported on FWSM) or run FWSM in transparent mode.
    If you have ever faced such scenario, would appreciate if you could share your experience.
    Regards
    Vinod

  • Rule for Control Plane traffic Transparent Firewall

    Hi Everyone,
    ASA  working in routed mode traffic is allowed by default from high security inside to low security outside.
    But in case of transparent firewall  control plane  traffic  from inside to outside it is not allowed by default.
    Need to know the reason behind this?
    IS this due to transparent firewall layer 2?
    Regards
    MAhesh

    Hello Chintan,
    the VRF access link where the CE is connected is part of the VRF and isn't a member of the Global Routing Table anymore.
    So any possible attempt to build an LDP session cannot impact on the backbone MPLS control plane.
    If you want to specify all the acceptable LDP sources in a receive-ACL or in Control plane policing as part of a security plan that will be another matter.
    Only on Carrier Supporting Carrier scenario you have an MPLS LDP or BGPv4 with labels session between PE and CE.
    Hope to help
    Giuseppe

  • Transparent mode with AIP-SSM-20

    I currently have an ASA5510 in routed mode with an AIP-SSM-20.
    There is a requirement to use a fibre optic connection between this ASA and another ASA across campus, so the AIP-SSM will have to be removed and replaced with the SSM-4GE.  This part should present no issue.
    However, this will remove the IPS device, and I still want to use IPS.
    So, what I am thinking is to get another ASA5510, install the AIP-SSM, configure ASA for transparent mode and put it in between the inside of the routed ASA and my LAN.  The transparent ASA would be functioning strictly as an IPS appliance.
    Setup would look something like this:
    Internal LAN <> transparent ASA with IPS <> routed ASA <> WAN
    Can the AIP-SSM still perform IPS with the ASA in transparent mode?
    Is there a way to configure the ASA and AIP-SSM such that traffic to/from a particular server completely bypasses the AIP-SSM?
    I have a couple of fileservers that generate heavy traffic and could overload the AIP-SSM.
    Regards.

    AFAIR, There is no problem to setup AIP in a transparent firewall.
    "An ASA in transparent mode can run an AIP.  In the event the AIP fails,
    the IPS will fail-open and the ASA will continue to pass traffic.
    However, if an interface or cable fails, then traffic will stop.  You
    would need a failover pair to account for this failure event, which
    means another ASA and matching AIP."
    And no there is no problem to exclude certain hosts/ports/subnets from inspection by IPS via MPF.
    http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ips.html#wp1050744
    What I however consider however is if the ASAs 5510 as second tier firewall for 5520s will be enough.
    http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html
    HTH,
    Marcin

  • Transparent Firewall Configuration

    I m trying to configure ASA 5540 in transparent firewall mode. The server farm is connected to the inside zone and users are connected to the outside zone on Multiple VLANS routed via Inter-VLAN routing using core switch.
    As per Cisco Configuration guidelines for transparent firewall,INSIDE and OUTSIDE ZONE are configured to be in two different VLANS while the gateway ip address of the server farm is configured on the core switch.
    The transparent firewall works fine if connected to TWO different switches with ACL permit any any on the outside interface. But if TWO DIFFERENT VLANS ( ex. 111 & 222 ) are configured on the same Catalyst 4500 switch and the inside zone and outside zone ( 222 ) is connected to the respective ASA 5540 interfaces in TRANSPARENT MODE - inside interface to port 3/0/1 in VLAN 111 & Outside Interface to port 3/0/2 in VLAN 222, traffic is not flowing thru.
    VLAN 222 USED FOR SERVER FARM CONNECTED TO INSIDE ZONE HAS THE DEFAULT GATEWAY ADDRESS CONFIGURED in the CORE SWITCH under INT VLAN 111 which is connected to OUTSIDE interface of ASA.
    Core Switch int gig1/0/1...>vlan 111...>ASA OUTSIDE...>Vlan 222...> server farm in vlan 222
    No ARP entries are seen on the inside interface.Ethertype ACL to allow BPDU's on both INSIDE AND OUTSIDE interface of ASA has also been configured.
    Can you please provide me guidelines and a step by step procedure to configure ASA 5540 in transparent Firewall mode with INSIDE & OUTSIDE Interface connecting to TWO different VLANS on the same Catalyst SWITCH.
    Thanking you in advance,
    with best regards
    Meenaakshi Sundaram
    Network Consultant

    Hi Kirk,
    Yes, you can.
    You just have to make sure that you configure only 1 SVI on the switch.
    Example:
    L3 subnet: 10.1.1.0/24
    VLAN 100 -- Inside (ASA) Outside -- VLAN 200
    Hosts will all be connected to VLAN 100 on the switch.
    ASA inside interface will be connected to VLAN 100 on the switch
    ASA outside interface will be connected to VLAN 200 on the switch
    Switch should only have 1 SVI - interface vlan 200 (10.1.1.254 for example). Switch should never be configured with SVI on vlan 100 (should not have interface vlan 100).
    All hosts would be in the 10.1.1.0/24 subnets with default gateway set to 10.1.1.254.
    ASA should only have 2 interfaces (inside - security level 100, and outside - security level 0). They can't be on the same security level.
    Hope that helps.

  • Configuring management interface in transparent firewall

    Hi there, 
    I know I have been asking basic questions. But I have 5520 with VPN plus license. 
    This firewall is in transparent mode now. How do I configure the management IP on this( I mean is there a dedicated management interface or what)
    Regards, 
    Yad Singh

    Hi,
    Consider ASA in transparent mode just like a Layer 2 Switch , where you would have to define an SVI or IP address for management.
    In the Case of ASA device , on ASA 8.2 and before , you can only configure one single IP address for management.
    On the ASA 8.4 and above , we have something know as Bridge groups which are configured for the management IP address.
    Refer these documents:-
    http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/fwmode.html#wp1201980
    http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/mode_fw.html#wp1367568
    http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/97853-Transparent-firewall.html
    Let me know if you have any queries.
    Thanks and Regards,
    Vibhor Amrodia

  • Configuration Required for Transparent Firewall ASA8.2

    Dear All,
    I have one firewall need to be configured in transparent mode. I have inside and outside router. Can anyone just give me the configuration of transparent firewall ASA8.2 pelase. I didnt find the configuration on Cisco site.
    Regards,
    Ali.....

    Dear jcarvaja
    Reference made to our previous communication regarding transparent firewall. Following are my full config with your required capture. I can still ping to the managment of ASA from inside and outside. But traffic is not transiting.
    Inside Capture
    sh capture INSIDE
    24 packets captured
       1: 00:11:45.244326 802.3 encap packet
       2: 00:11:47.289245 802.3 encap packet
       3: 00:11:49.233325 802.3 encap packet
       4: 00:11:51.264039 802.3 encap packet
       5: 00:11:53.258607 802.3 encap packet
       6: 00:11:55.293060 802.3 encap packet
       7: 00:11:57.339719 802.3 encap packet
       8: 00:11:59.331113 802.3 encap packet
       9: 00:12:01.343549 802.3 encap packet
      10: 00:12:03.335218 802.3 encap packet
      11: 00:12:05.349347 802.3 encap packet
      12: 00:12:07.393152 802.3 encap packet
      13: 00:12:09.117242 arp who-has 7.7.7.3 tell 7.7.7.2
      14: 00:12:09.341931 802.3 encap packet
      15: 00:12:11.103693 arp who-has 7.7.7.3 tell 7.7.7.2
      16: 00:12:11.409341 802.3 encap packet
      17: 00:12:13.102198 arp who-has 7.7.7.3 tell 7.7.7.2
      18: 00:12:13.412393 802.3 encap packet
      19: 00:12:15.088832 arp who-has 7.7.7.3 tell 7.7.7.2
      20: 00:12:15.393244 802.3 encap packet
      21: 00:12:16.206959 802.3 encap packet
      22: 00:12:17.106043 arp who-has 7.7.7.3 tell 7.7.7.2
      23: 00:12:17.448661 802.3 encap packet
      24: 00:12:19.410760 802.3 encap packet
    Outside Capture
       1: 00:11:56.916105 802.3 encap packet
       2: 00:11:58.879074 802.3 encap packet
       3: 00:12:00.938367 802.3 encap packet
       4: 00:12:02.893935 802.3 encap packet
       5: 00:12:04.935437 802.3 encap packet
       6: 00:12:06.927488 802.3 encap packet
       7: 00:12:08.875702 802.3 encap packet
       8: 00:12:09.117242 arp who-has 7.7.7.3 tell 7.7.7.2
       9: 00:12:10.931104 802.3 encap packet
      10: 00:12:11.113244 arp who-has 7.7.7.3 tell 7.7.7.2
      11: 00:12:12.944088 802.3 encap packet
      12: 00:12:13.102198 arp who-has 7.7.7.3 tell 7.7.7.2
      13: 00:12:14.933331 802.3 encap packet
      14: 00:12:15.088832 arp who-has 7.7.7.3 tell 7.7.7.2
      15: 00:12:15.642453 802.3 encap packet
      16: 00:12:16.948101 802.3 encap packet
      17: 00:12:17.106043 arp who-has 7.7.7.3 tell 7.7.7.2
      18: 00:12:18.968348 802.3 encap packet
      19: 00:12:20.969066 802.3 encap packet
      20: 00:12:22.976695 802.3 encap packet
      21: 00:12:25.012572 802.3 encap packet
    ASA
    : Saved
    ASA Version 8.0(2)
    firewall transparent
    hostname ciscoasa
    enable password 8Ry2YjIyt7RRXU24 encrypted
    names
    interface Ethernet0/0
    nameif outside
    security-level 0
    interface Ethernet0/1
    shutdown
    no nameif
    no security-level
    interface Ethernet0/2
    shutdown
    no nameif
    no security-level
    interface Ethernet0/3
    nameif inside
    security-level 100
    interface Ethernet0/4
    shutdown
    no nameif
    no security-level
    interface Ethernet0/5
    shutdown
    no nameif
    no security-level
    passwd 2KFQnbNIdI.2KYOU encrypted
    ftp mode passive
    access-list OUT extended permit icmp any any
    pager lines 24
    mtu outside 1500
    mtu inside 1500
    ip address 7.7.7.10 255.255.255.0
    no failover
    icmp unreachable rate-limit 1 burst-size 1
    no asdm history enable
    arp timeout 14400
    access-group OUT in interface outside
    access-group OUT in interface inside
    timeout xlate 3:00:00
    timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
    timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
    timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
    timeout uauth 0:05:00 absolute
    dynamic-access-policy-record DfltAccessPolicy
    no snmp-server location
    no snmp-server contact
    snmp-server enable traps snmp authentication linkup linkdown coldstart
    no crypto isakmp nat-traversal
    telnet timeout 5
    ssh timeout 5
    console timeout 0
    threat-detection basic-threat
    threat-detection statistics access-list
    class-map inspection_default
    match default-inspection-traffic
    policy-map global_policy
    class inspection_default
      inspect icmp
    service-policy global_policy global
    prompt hostname context
    Cryptochecksum:00000000000000000000000000000000

  • ECMP through Transparent Firewall

    I have an interesting question.  We are going to try and run equal-cost multi-pathing through a transparent firewall.  There will be two routers on one side and two on the other running eigrp between them.  The question is, if a packet leaves one port but the response comes back on a different port, would this cause issues?
    I can explain more if needed.

    Hi,
    When you run Equal cost multi path in ASA, you will not get a return packet on a different port. It will not do round robin fashion. Below mentioned excerpt from cisco document will clarify your doubt.
    This document provides information on how to configure the Adaptive Security Appliance (ASA) with up to three equal cost routes to the same destination network per interface. The ASA hashes the source and destination IP addresses of the outbound packet to determine which route it will use to determine the next hop for the packet (the ASA does not employ a round-robin algorithm to choose the next hop). As opposed to round-robin load balancing, packets with the same source and destination pair are always sent towards the same next hop, as per the computed hash.
    Regards
    Karthik

  • Using a Transparent Firewall

    How does a transparent firewall intercept traffic in order to inspect and filter it?  I'm not clear on the physical makeup of the design.  If I have a vlan with some hosts I want to protect and connect the inside and outside interfaces of an ASA to the same VLAN, how does the ASA get in between those hosts I want to protect, other hosts on the same VLAN, and their default gateway in the same VLAN?  From a cabling perspective I would only be connecting cables of the ASA and the hosts to a switch port that is in a common VLAN.  Why would a host go through the firewall?  Since it's all layer 2, wouldn't it have to be ARP?  I've looked at the ARP scenarios in documentation, but none of it appears to state the firewall proxys ARP in some fashion.
    thank you
    Bill 

    Hello Bill,
    That is exactly where it goes wrong, you dont have to connect everything on the same vlan, it would be two different logical vlans carrying Layer 2 traffic but with the same IP scheme. For example, consider the following scenario:
                                       Vlan100
                                  192.168.100.0
    Inside network---------------Switch----------------Router--------Internet
    Now, the main Idea of the ASA firewall is to be inserted on this scenario without having to change the IP scheme, so here is what you do
                            Vlan100                        Vlan101      
                        192.168.100.0              192.168.100.1
    Inside network---------------ASA_Firewall------------------Router------Internet
    What the ASA is going to do is to bridge packets between the inside network and the router, how? It creates its own mac address table just like a switch and forwards the packets on a layer 2 basis, he knows that the mac-address of the router is located on the outside and the mac address of the inside host is on the inside, so when a requests is going to the mac-address of the router it picks up the packet and it bridges it to the router.
    Hope it helps.
    Mike

Maybe you are looking for

  • How to connect a printer with Remote Desktop for Mac, version 8

    Hello, I use Microsoft Remote Desktop 8.0.3 with my Mac to connect to an application which is based on a Windows Server 2008. I don't find the way to print to my Mac. I don't find the menu for it :-( Same problem to transfert a file from the Windows

  • New browser window not working in Safari or Chrome

    I have a new browser window link that works in FF, but not in Safari or Crome. The link is found but does not do anything. Please help, i am slightly desperate here.

  • Problem weblogic 9.2 with quartz and log4j : url-template-config.xml

    Hello, I configure a Servlet Quartz to run when WebLogic 9.2 starts, but i have an exception, here is my log : 2009-04-15 11:52:52,424 ERROR Logger.error(): Exception while loading URL templates, /WEB-INF/url-template-config.xml Throwable: javax.serv

  • Trying to make tutorial work..

    Hello, I'm working on a very basic flickr tutorial found at adobe labs: http://labs.adobe.com/technologies/flexbuilder2/tutorials/sho_kuwamoto/ Basically, I reproduced the tutorial step by step (so I'd go through all the steps of building this app) a

  • Buttons 'go to URL won't' open in webviewer

    Hello I have multiple buttons in my folio, they all work great on iPad, but when i open the folio in the webviewer nothing happens when ik click them. Someone have a solution for my problem? Thx!