Transparent Mode and Logging

Similar Messages

• ASA in transparent mode and IP addresses

  Hello,
  I need to put an ASA in transparent mode.
  Our router (managed by the carrier) routes more than one public IP class in a single VLAN.
  On the "Cisco Security Appliance Command Line Configuration guide", in "Trasnaprent Firewall Guidelines" it's written: "Each directly connected network must be on the same network".
  This means also that I can have ONLY ONE subnet that flows fron the outside and the inside, or can I have more than one class?
  If I can have only one class, the only solution is to use multiple context (and separate each classes in different interfaces)?
  Thanks a lot

  The ASA in trasparent mode works at layer 2. So it really does not care if the traffic that flows through it is from different subnet as long as the L3 devices it connects to knows how to reach these subnet. TheASA in transparent is basically a bump in the wire (a bridge) and for that reason you can only use 2 interfaces on the ASA in transparent implementation.
  P.S. When people see attitude in your threads, they will refrain from answering your question. That's for future reference.

• VTP transparent mode and using VTP domain

                     Hi all,
  Need to ask question when  using VTP transparent mode is it good idea to use VTP domain name and password?
  I know for switches in transparent mode they act as independent of each other.
  So need to know why we should use vtp domain  and password with transparent mode?
  thanks
  mahesh

  Mahesh,
  I know this 2 years later, but it will help others who will come across this. If you have a Transparent switch mixed with Server and Clients switches. This is your concern....... If you do not put the Transparent switch in the same domain, then it will not forward VLAN changes to other swithces.  
  So Sw1(Server-CCIE Domain) <-------> Sw2(Transparent-CCIE Domain)  <-------> Sw3(Client-CCIE Domain)
  The above will work because the Transparent switch is in the same domain. This means that SW3 will get any Vlan changes that are done on SW1.
  Now lets look at it the other way.........
  Sw1(Server-CCIE Domain) <-------> Sw2(Transparent-Null Domain)  <-------> Sw3(Client-CCIE Domain)
  Two things are going to happen here
  1) The transparent switch is not on same domain, so SW3 will never get any updates when changes to Vlans are done on SW1. So if I add one vlan to SW1, and that make the Configuration Revision increase to the value of 10, that means SW3's Revision will still be 9, and will remain that way until the issue is corrected.
  2) If you are dynamically negotiating trunks, this will never happen due to the mismatch domains. Meaning that your trunks will never come up because you did not put your Transparent switch in the same domain.
  Kiel Martin 

• Dateguard Protection Mode and log transfer doubt

  Friends,
  DB: 11gR2 (11.2.0.3) 64 bit
  OS: OEL 5.5 64 bit
  iam new to dataguard..
  i just finished the setup of primary db and physical standby in my notebook.
  the protection mode is the default one...that is...maximum performance. (primary)
  in the maximum protection mode....whenever i need the logs to transferred to physical standby..i have to do the switch logfile and also archive the current log.
  its not reflecting/transferring automatically. that is in the scott user i created a table in primary db..
  but its not reflecting in the physical standby of scott user. once i do the below...
  alter system switch logfile
  alter system archivelog currentthen its reflecting in the physical standby. so, am i have to change this mode to maximum availability or maximum protection?
  so in maximum performance mode, i have to execute the above statement whenever i need the log transport from primary to standby?
  thanks

  1. is the real-time apply can be used in all the 3 protection modes?Yes.
  2. while changing the protection mode, i have to do it in the primary db is it?Yes changes are done in primary database.
  http://docs.oracle.com/cd/B28359_01/server.111/b28294/protection.htm#
  3. while shutting down the physical standby and primary i just run the shutdown immediate command in standby and then in primary...is there any steps to be followed while shutting down the server or starting up the server in the dataguard environment like rac environment.?
  While shutting do this:
  Check whether primary and standby database are in SYNC and then Cancel the recovery process
  Shut down the primary database and then shut down the standby database And if you are using ASM then you have to shutdown that also.
  Stop all listeners and cluster services. Perform this step on all nodes in an Oracle Real Application Clusters (Oracle RAC) environment.
  While starting do this:
  Start the cluster services and listener
  Start the ASM and then database
  Start the recovery process on standby database.

• No archivelog mode and logging option

  hi i am having a database 9i on windows 2000 adv server. my database is in no archivelog mode. i am creating a table with logging option as follows
  create table x(no number(1))
  logging;
  table created
  please let me know where the information will be logged? whether into trace files because database is in no archivelog mode.

  Logging information is always recorded in your redolog files, irrespective whether your database is in ARCHIVELOG mode or NOARCHIVELOG mode.
  By default a table is created in LOGGING mode, you don't have to explicitly specify it.
  Here is an example:
  SQL> archive log list
  Database log mode              No Archive Mode
  Automatic archival             Disabled
  Archive destination            /u10/app/oracle/product/oracle10g/dbs/arch
  Oldest online log sequence     11
  Current log sequence           13
  SQL> create table t(a number);
  Table created.
  SQL> select logging from user_tables where table_name = 'T';
  LOG
  YES

• Transparent mode and DHTML menus

  Hi,
  I was wondering if anyone has found any workarounds that work
  better when Flash content falls on top of dynamic content such as
  DHTML menus? I set the wmode to transparent for my flash because it
  sits below drop down menus. However, this 'fix' does not work
  consistently. It works for me, but not for others. Some are using
  IE, like me. It does not work at all in Firefox. I've read that
  this is a hugh bug and besides setting the wmode to transparent
  there is not much else one can do. Even fooling with the zindexes
  does not work. THERE MUST BE A WAY TO GET AROUND THIS! Does anyone
  know if the newer versions of Flash are addressing this issue?
  Unfortunately, I'm still stuck in FlashMX at work. We have
  the newer version but it's not installed yet.
  Thanks,
  Suzanne A

  Suzanne A,
  >> I was wondering if anyone has found any workarounds
  >> that work better when Flash content falls on top of
  >> dynamic content such as DHTML menus? I set the
  >> wmode to transparent for my flash because it sits
  below
  >> drop down menus. However, this 'fix' does not work
  >> consistently.
  True enough. This is well documented in the forum archives
  and in
  macromedia.com technotes. Of course, you only need
  "transparent" if the
  SWF's background is supposed to be invisible. Another value
  for this
  attribute is "opaque," which some have noted as less prone to
  bugs.
  The main thing is that wmode provides a way to display
  "active content"
  in a manner that doesn't obscure other objects in the
  document -- some
  browsers support this feature better than others. It's worth
  noting that
  wmode is not an invention of Adobe or Macromedia. It is a
  mechanism that
  can be used for QuickTime video and any other content not
  normally displayed
  by the browser, including Java applets, and so on. In other
  words, content
  that requires a plug-in or virtual machine.
  >> It works for me, but not for others. Some are using
  IE,
  >> like me. It does not work at all in Firefox.
  Sure it works in Firefox.
  http://www.communitymx.com/content/source/E5141/wmodenone.htm
  >> THERE MUST BE A WAY TO GET AROUND THIS!
  I would be nice, for sure. But in general, the idea that any
  given
  thing *must* be accomplishable can sometimes lead to
  disappointment.
  There *must* be a way to display CSS properly in IE, for
  example -- but
  sometimes there isn't. Sure, there are hacks and workarounds,
  and sometimes
  those are worth the effort ... but sometimes they aren't, and
  in those
  cases, IE's CSS support is frustrating.
  >> Unfortunately, I'm still stuck in FlashMX at work.
  We have the
  >> newer version but it's not installed yet.
  This isn't solved in Flash 8. Remember, this isn't, per se,
  a Flash
  issue.
  David
  stiller (at) quip (dot) net
  Dev essays:
  http://www.quip.net/blog/
  "Luck is the residue of good design."

• Transparent Firewalls and DHCP on a 5510 ASA

  I have a 5510 ASA running 8.2 configured in transparent mode and I am trying to allow devices on the inside network to acquire an IP address from a DHCP server on the outside.  I've seen several articles that indicate an ACL is necessary to permit outgoing traffic on port 68 and incoming traffic on port 67.  That actually works and the inside device gets an IP address.  The problem is that no other outbound traffic is allowed from the inside device.  The ACL put in place to permit DHCP, because of its implicit deny at the end of the ACL, denies all other traffic.  DHCP is now the ONLY thing allowed out.  What am I doing wrong here?

  In a default configuration the difference in security levels between the inside and outside interfaces would allow the DHCP requests out, and the UDP xlate entry created for the outgoing packet would allow the DHCP reply back in.  It would just work, but you would have very little control of packet flows, static NAT, or logging.
  Once you start applying ACL's to interfaces, you have to explicitly allow everything you want.  All of my firewall interfaces have inbound ACLs, and some also have outbound, so. E.g. subnets where I want to fairly permissive outbound get something like:
  access-list DMZ-INGRESS extended permit ip any object-group LOCAL-NAT0
  access-list DMZ-INGRESS extended deny ip any object-group RFC-5735-SPECIAL log
  access-list DMZ-INGRESS extended deny ip any object-group ALL-MCAST log
  access-list DMZ-INGRESS extended permit ip any any
  Since I happen to be running in routed mode rather than transparent, I have to configure DHCP relay instead of something like "permit udp any any".  I won't include the object groups unless someone asks.
  -- Jim Leinweber, WI State Lab of Hygiene

• Trying to figure out whether I can use an ASA cluster in Transparent mode to facilitate VRF based network ??

  Hi Guys,
  I had to re-post this here because I did not get any comments earlier.. hopefully I'll get something here.. :)
  I'm investigating the ways that I can use 2 x ASA (5525x) to accommodate Multi-tenancy situation with overlapping addresses. Unfortunately in this particular scenario we have to stick with 5525x firewalls.
  The ASAs are going to be placed in north-south traffic path between 2 routers and these routers need to be configured with multiple VRFs to segregate the traffic for each tenant with overlapping IP subnets ( We are not looking at NAT as a workaround for the time being).
  As we know, this ASA model won't support VRFs so we can't use the ASA as a intermediary routing hop and therefore this is not an option.. and using security contexts per VRF seems not scale-able enough (correct me if I'm wrong). So my thinking is that, if we put the ASAs in to the transparent mode and just use the ASAs as a layer 2 interconnect (configured with different VLANs connecting VRFs served by top and bottom routers)  I should be able to go up to maximum of 50 VRFs (since 5525x only supports 200 VLANs).  
  I'm also planning to use the 2 ASAs in a cluster mode to aggregate the bandwidth of both ASAs for better throughput.
  So I need to clarify following with you guys.. 
  1) Can I actually do this or am I missing something.
  2) Are there any limitations that I might run in to with this setup
  3) Is there anyone out there who's doing the same thing or can you think of a better way to tackle this scenario (with same hardware and requirements)
  4) Instead of using clustering, can I use simple Active/Stanby pare and still configure transparent mode and use it that way ?
  Appreciate your input.
  Thanks
  Shamal 

  There is a limitation on how many context you can have, which depends on the license you have.  This is quite possible with ASA multi routed mode and even with multi transparent mode.  You can have overlapping ip in each context without the need of using nat as long as you have unique mac address for each sub interface.
  Thanks

• Failure when FWSM in transparent mode with multiple contexts

  hi experts,
              We have two FWSMs working in active/standby state,  configured with multiple contexts in transparent mode. and the "outside" and "inside" interfaces for each context are in same subnet. 
              Now we have one FWSM broken and the RMA part can't arrived in short time, so  we have the risk that the sencond FWSM could be failed as well.   In the worst case if the two was broken or powered off simultaneously,   i wonder that if the communications between multiple contexts could be ok???
  thanks in advance.

  The software requirements for Cisco Secure ACS are dependent on the type of Extensible Authentication Protocol (EAP) desired. For full support of all the EAP types including EAP-Flexible Authentication via Secure Tunneling (FAST), use release 3.2.3 or higher.
  http://www.cisco.com/en/US/netsol/ns340/ns394/ns431/ns434/networking_solutions_implementation_guide09186a008038906c.html

• Transparent wsa and https traffic

  folks
  i've deploying a S300V in transparent mode and using wccp
  i have a single policy allowing http and https
  http works fine but https doesn't
  i can see both sets of requests go out through my outer firewalls but the https handshake doesn't get past the client hello
  the VM is being used on a guest wifi network so clients won't be authenticated, won't have a common root certificate and i don't want to decrypt traffic
  tac are telling me i need to enable the https proxy but i can't as clients won't have the root certificate required
  do i need to use https proxy?
  thanks to anyone taking the time to reply

  Ken,
  If I dont to decrypt HTTPS but still want the traffic to be inspected for URL and web reputation, do I need to upload a root certificate still? I would have assume not as I do not want to decrypt HTTPS but the GUI doesn't allow me to enal HTTPS Proxy without uploading a certificate; basically I cannot "Enable HTTPS Proxy" and submit without a cert.
  Basically what I just want to do is just pass through the HTTPS traffic to be check against the Access policies that the HTTP is being checked against.
  Is this viable? If so can you let me know how I can achieve the above?
  Thanks

• Transparent mode with AIP-SSM-20

  I currently have an ASA5510 in routed mode with an AIP-SSM-20.
  There is a requirement to use a fibre optic connection between this ASA and another ASA across campus, so the AIP-SSM will have to be removed and replaced with the SSM-4GE.  This part should present no issue.
  However, this will remove the IPS device, and I still want to use IPS.
  So, what I am thinking is to get another ASA5510, install the AIP-SSM, configure ASA for transparent mode and put it in between the inside of the routed ASA and my LAN.  The transparent ASA would be functioning strictly as an IPS appliance.
  Setup would look something like this:
  Internal LAN <> transparent ASA with IPS <> routed ASA <> WAN
  Can the AIP-SSM still perform IPS with the ASA in transparent mode?
  Is there a way to configure the ASA and AIP-SSM such that traffic to/from a particular server completely bypasses the AIP-SSM?
  I have a couple of fileservers that generate heavy traffic and could overload the AIP-SSM.
  Regards.

  AFAIR, There is no problem to setup AIP in a transparent firewall.
  "An ASA in transparent mode can run an AIP.  In the event the AIP fails,
  the IPS will fail-open and the ASA will continue to pass traffic.
  However, if an interface or cable fails, then traffic will stop.  You
  would need a failover pair to account for this failure event, which
  means another ASA and matching AIP."
  And no there is no problem to exclude certain hosts/ports/subnets from inspection by IPS via MPF.
  http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ips.html#wp1050744
  What I however consider however is if the ASAs 5510 as second tier firewall for 5520s will be enough.
  http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html
  HTH,
  Marcin

• Transparent Mode using WCCP v2

  Dear All,
  Greetings. Please correct me if I am wrong. When to use GRE and when to use L2 redirection is depends on the router/switch?
  What are the parameters to be configured in Transparent Redirection 'Load-Balacing Method' and 'Forwarding Method' when using GRE?
  Please help me to understand more on GRE and L2 redirection when in transparent mode, and configuration in S-Series.
  Many Thanks,
  ezekiel

  Ezekiel,
  L2 is the preferred method when possible, since GRE adds an extra 28 bytes of overhead. For L2 to be possible, the WSA must be directly connected to the router / WCCP device.
  If the WSA is more then 1 hop away, GRE MUST be used.
  The major difference between Hashing and Masking is that if Masking is supported, the router / switch will consume less CPU building the load balancing tables.
  It's recommended that you set the WSA to use "Hashing or Masking". The WSA will then negotiate with the WCCP router which to use. If your router supports both, Masking is preferred.
  Hope this helps.
  Please help regarding WCCP v2.
  My company had 2 routers & 2 WSA. Each WSA is directly connected to the each router.
  Can I use both WCCP L2 & GRE? If possible, can give some examples?

• VTP v2 Transparent mode forwarding

  All,
  As part of my recertification, i am studying VTP (again) and i ran into the following question:
  I know VTP v1 switches in transparent mode only forward VTP advertisements if the domain name is the same and if the version is the same (so only v1 gets forwarded and only if the domain name matches)
  I know VTP v2 has a feature called: version-independent forwarding: a VTP v2 transparent switch will forward VTP v2 packets as well as VTP v1 packets.
  BUT what about the domain name ? Does it still need to match ?
  Will a VTP v2 Transparent Switch in domain "Cisco" forward a VTP v1 or v2 advertisement of domain "TEST" ???
  regards,
  Geert

  Ok. Thx. Let us believe the documentation.
  Although it is not really clear why this feature is called "version dependent transparent mode" and not "version independent transparent mode". To me it seems more logical - since it forwards v1 and v2 - to be version independent...
  So in the following situation:
  SW1 ---- trunk --- SW2 ----- trunk----- SW3
  Server Transparent Client
  VLANS 1,2,3
  Domain TEST Domain Cisco Domain TEST
  If SW2 is running VTP v1 --> SW3 does not know any VLANs
  If SW2 is running VTP v2 --> SW3 does see VLANS 1,2,3
  Geert

• ASA 55xx in transparent mode - switch ARP table?

  Guys,
  It's a basic question about how transparent mode firewalls communicate with the connecting switches.
  My understanding is that if I separate the LAN eg. 10.1.1.x with a transparent firewall than it will only "snoop" the traffic and will not change anything in the Ethernet header.
  Is it correct or still will replace the MAC address with the firewall physical interface address to send the frame to the connecting switch?
  e.g.
  client--------->switch------->transparent 5510-------->switch---------->server
  10.1.1.1                                                                                              10.1.1.100
  When the client sends the ARP to look up the hardware address of the server then what will that received back?
  The MAC address of the transparent ASA, or the server?
  Thank you!

  Source MAC address is never changed if the traffic is passing through same IP subnet (vlan). Here the firewall is in transparent mode and if it alter the source mac address communication will not happen. This is a very fundamental network concept. However it may recreate the same frame with same souce/destination mac addresses.
   

• Using Clustered ASAs in Transparent mode to support VRF based Network ?

  Hi Guys,
  I'm investigating the ways that I can use 2 x ASA (5525x) to accommodate Multi-tenancy situation with overlapping addresses. Unfortunately in this particular scenario we have to stick with 5525x firewalls.
  The ASAs are going to be placed in north-south traffic path between 2 routers and these routers need to be configured with multiple VRFs to segregate the traffic for each tenant with overlapping IP subnets ( We are not looking at NAT as a workaround for the time being).
  As we know, this ASA model won't support VRFs so we can't use the ASA as a intermediary routing hop and therefore this is not an option.. and using security contexts per VRF seems not scale-able enough (correct me if I'm wrong). So my thinking is that, if we put the ASAs in to the transparent mode and just use the ASAs as a layer 2 interconnect (configured with different VLANs connecting VRFs served by top and bottom routers)  I should be able to go up to maximum of 50 VRFs (since 5525x only supports 200 VLANs).  
  I'm also planning to use the 2 ASAs in a cluster mode to aggregate the bandwidth of both ASAs for better throughput.
  So I need to clarify following with you guys.. 
  1) Can I actually do this or am I missing something.
  2) Are there any limitations that I might run in to with this setup
  3) Is there anyone out there who's doing the same thing or can you think of a better way to tackle this scenario (with same hardware and requirements)
  4) Instead of using clustering, can I use simple Active/Stanby pare and still configure transparent mode and use it that way ?
  Appreciate your input.
  Thanks
  Shamal 

  Is any expert out there who can answer my query ?. Much appreciated.