Transparent mode ASA and management

Similar Messages

• E4200 Bridged Mode - Wireless and Management fail after 36 hours

  Greetings all,
  I am trying to see if anybody else is having this problem.  I have the E4200 and have it configured in bridged mode.  Once configured, everything works great for 36 hours.
  After 36 hours, all wireless devices are unable to pull an IP address and the management IP address of the E4200 stops responding.  The only way to restore service is to reload the router.
  I took the first one back to Best Buy and they gave me a new one, however the new router has the same issue.
  It seems to me that after 36 hours, the E4200 fails to renew its management IP and also stops forwarding wireless broadcasts (DHCP) requests to my DHCP server.
  Thoughts?

  Thanks.  The new E4200 firmware has "bridged mode" so basically I just have this thing acting as a Wireless access point that has 5 Gigabit ethernet ports.
  This disables the routing engine in the E4200 and it acts as a wireless AP and switch.  The E4200's WAN port then connects to a Gigabit switch located in my telco closet, which is connected to my FiOS Router.
  Reason for this setup is so that devices connected to either the Gigabit switch, or to the E4200 via hardwire or wireless will all remain on the same subnet, and not cause the broadcasts to block as packets traverse subnets.

• ASA in transparent mode and IP addresses

  Hello,
  I need to put an ASA in transparent mode.
  Our router (managed by the carrier) routes more than one public IP class in a single VLAN.
  On the "Cisco Security Appliance Command Line Configuration guide", in "Trasnaprent Firewall Guidelines" it's written: "Each directly connected network must be on the same network".
  This means also that I can have ONLY ONE subnet that flows fron the outside and the inside, or can I have more than one class?
  If I can have only one class, the only solution is to use multiple context (and separate each classes in different interfaces)?
  Thanks a lot

  The ASA in trasparent mode works at layer 2. So it really does not care if the traffic that flows through it is from different subnet as long as the L3 devices it connects to knows how to reach these subnet. TheASA in transparent is basically a bump in the wire (a bridge) and for that reason you can only use 2 interfaces on the ASA in transparent implementation.
  P.S. When people see attitude in your threads, they will refrain from answering your question. That's for future reference.

• ASA Transparent mode multicast traffic in 8.2 and 8.4

  Hi,
  When i configure 8.2 in trasparent mode and deploy the a network that was wrok on EIGRP after that i found the neighborship was stop when i allow the mutlicast address and prtocol on outside interface it was start the working But when i deploy an ASA with 8.4 IOS and then allow the multicast address and protocol both the interface (Inside and outside) after that it was start working.
  So i want to know that what the reasion to allow multicast address and protocol on 8.4 IOS for both interface. I am not able to find any answer for this.

  Hi Mahesh,
  By default ASA in transparent mode do not allow any packets not having a valid EtherType greater than or equal to 0x600. As per my knowledge this concept remain same for all versions of ASA. Most control plane protocols are denied.
  ASA in transparent mode only allows ARP, broadcast traffic, TCP and UDP inspected unicast traffic.
  For EIGRP to work through transparent firewall, we need to open ACLs in both direction for multicast and unicast both type of EIGRP traffic on all versions of ASA Firewall.

• Cisco ASA 5512 Transparent mode

                     Hi all - hope this is the right place to ask this question-
  I'm having trouble understanding how to configure an ASA 5512X in what should be a really easy way -
  I simply want the ASA to be a transparent Layer 2 "bump" in a routed link between two networks, and then I'll use the Management interface to actually see the firewall ASDM,Syslog, configure, etc.
  I have the interfaces set up thusly:
  interface GigabitEthernet0/0
  nameif UnTrustedNetwork
  security-level 0
  interface GigabitEthernet0/1
  nameif TrustedNetwork
  security-level 100
  interface Management0/0
  nameif ManagementAccess
  security-level 100
  ip address 192.168.X.Y 255.255.255.0
  management-only
  I cannot figure out how to install a default route so that interface Management0/0 with it's IP of 192.168.X.Y can be reached from
  other networks, like 10.6.X.Y, etc.
  I thought the point of a Management interface was that you could set things up in such a way that the Management interface
  was the only way you could access the firewall, and you did not have to have IP addresses on the Gig interfaces,
  (at least not in transparent mode, for NAT you obviously would have to)
  I tried to add a static route entry to 10.6.X.Y , but
  when I typed "route.." my only available destination interfaces were either TrustedNetwork or UnTrustedNetwork ??
  How do I configure the Management interface for non-local subnets to be reachable on the firewall in transparent mode?

  transparent firewall is configured differently from routed mode.
  here's a basic config required:
  firewall transparent               (erases the current config; does not require a reboot)
  interface BVI1
  ip address 192.168.10.10 255.255.255.0
  interface GigabitEthernet0
  nameif outside
  bridge-group 1
  security-level 0
  interface GigabitEthernet1
  nameif inside
  bridge-group 1
  security-level 100
  route outside 0.0.0.0 0.0.0.0 192.168.10.254
  route inside 10.0.0.0 255.0.0.0 192.168.10.100
  I think that you need a BVI interface with an IP address before the ASA starts forwarding traffic
  The old syntax (pre 8.3 or 8.2 not sure) forces only 2 interfaces and no BVI was configured... the IP was assigned in global config.
  Hope that helps,
  Patrick

• Connectivity Issues Cisco ASA 5515 in Transparent Mode

  Hi,
  we´re having problems with one transparent mode setup at one customer site. The ASA is equiped with a CX Module, but we´re not using it, so far in the service policy rules it was enabled and matched all traffic, but in "monitor only" mode. There is a global acl that allows any-any-IP.
  Firewall-Info:
  - ASA Version 9.1(2) 
  - Interfaces gi0/0 + gi0/2 without any interface errors
  The ASA 5515x is configured as a "bump in the wire". In general our setup is working but with beginning of the installation of the firewall the customer faces following connection issues, without the firewall no problems:
  - Connections to SAP-Servers behind the MPLS begin to drop, affected all users
  - Incoming monitoring sessions (ping/snmp) from central management are facing ping timeouts, connection timeouts
  - http downloads are stopping, Customer: it will stop responding and the download will fail.
  In general the customer describes it this way: "We do not have the best connection here so once we connected the firewall all the problems are magnified"
  I recognized, that we unconfigured the default inspection during initial setup and reconfigured this entry for the cx module. So the the default inspection with all the settings are not present any more... How important are these settings? One phenomen is, that I´ve seen a large numbers of concurrent connections that increased over time. And we already had that situation, that the firewall reached the max-conn count.
  Should I try to reconfigure the default inspection, as it ships from factory? And whats the best way to check for problems? What can be the reason for the dropping connections?
  I attached a network plan and the firewall config, hopefully, that somebody has an idea. Of course I can provide additional information...
  Best Regards
  Sebastian

  Hi Vibhor,
  thanks for your reply. Does this also affect the traffic, even the setting is set to "Monitor Only" ?
  Is it recommend to configure the default-inspection rule as a default setting? 
  Further Question: I´ve read sth. about, that service policy rules must be "reloaded" to take effect, after they have been changed. Is that right and how do I reload them?
  Here is an output from sh asp drop, do I have to care about certain values? This values result from two connected users doing some downloads over a 2Mbit connection.
  ciscoasa# show asp drop
  Frame drop:
    Invalid encapsulation (invalid-encap)                                       10
    First TCP packet not SYN (tcp-not-syn)                                     114
    TCP failed 3 way handshake (tcp-3whs-failed)                                 3
    TCP RST/FIN out of order (tcp-rstfin-ooo)                                   18
    Dst MAC L2 Lookup Failed (dst-l2_lookup-fail)                               33
    L2 Src/Dst same LAN port (l2_same-lan-port)                                260
    FP L2 rule drop (l2_acl)                                                  2958
    Interface is down (interface-down)                                        9420
    No management IP address configured for TFW (tfw-no-mgmt-ip-config)        117
    Dropped pending packets in a closed socket (np-socket-closed)               66
  Thanks
  Sebastian

• Transparent Mode and Logging

  Is it possible for an 5505 ASA to be in transparent mode such as ethernet0/0 outside, ethernet 0/1 inside, and use ethernet 0/2 for syslog only on a seperate network other than the one that 0/0 and 0/1 is using.  The tranparent part being on a 192.168.168.X/24 and the syslog server being on say a 10.2.1.X/24 network?
  Thanks

  Hello Will,
  Havent try it, but I am sure you should be able to Use the OOB management interface (management 0/0) to accomplish such.
  Let us know.
  Mike

• Cisco ASA 55XX Transparent mode VLAN traversing

  Hello Cisco Forum Team!
      In a scenario where the Cisco ASA is in Transparent mode, is it possible to transmit L2 traffic from other VLANs different than the native VLAN the management IP of the firewall resides?
  The switches on the outside and inside interfaces of the ASA are in trunk mode and I am trying to pass L2 VLAN ttraffic from inside to outside and vice-versa using filters on the switches (switchport trunk allowed vlan). 
  Thanks in advanced for your support and comments!

  Yes it is possible but you will be limited to 8 VLANs, or more accurately, 8 BVI interfaces so this is not a scalable solution.  The catch is that you will need to have different VLANs for the same subnet at either end of the ASA. 
  To clarify this, lets say you are using interface Gig0/1 and Gig0/2.  On Gig0/1 you would have configured subinterfaces with VLANs 2, 3, and 4.  Now if you try to configure these same VLANs on Gig0/2 you will get an error saying something like this VLAN is already configured on another interface...I don't remember the exact error. 
  So to get this working you would need to configure Gig0/2 with subinterfaces for VLANs...lets say...5, 6, and 7.  you would then associate VLANs 2 and 5 with BVI 1, VLANs 3 and 6 with BVI 2, and VLANs 4 and 7 with BVI 3.  Each BVI interface would have its own IP address for the subnet that is being bridged across the ASA.
  Please remember to select a correct answer and rate helpful posts

• ASA 5510 in Transparent Mode-Guidelines.

  Dear all,
  I need to convert routed mode to transparent mode on my ASA-5510 with inbuilt IPS.
  let me know which of the following features configured on my firewall will have issue if converted to transparent mode:
  1. static routes.
  2. object-groups.
  3. ACLS.
  4. URL-filter (Websense).
  5. IPS . ( i doubt this )
  6. have 3 data and 1 Mgmt interfaces.
  7. syslog.
  8. SNMP
  I'm sure point 5 and 6 will have issues, need to confirm.
  need to confirm this by EOD,
  ( 5 hours more).
  thanks in advance.
  Shukla.

  Does not participate in routing protocols but can still pass routing protocol traffic through it. You can define static routes for the traffic originated by the ASA.
  in transparante mode the devices dehind and infront of the firewall will be in the same ip subnet as the firewall will be a L2 device!!
  ACLs can be configured normally
  syslog as well
  obgect groups as well
  Address translation is inherent when a firewall is configured for routed mode. Beginning with
  ASA 8.0, address translation can be used in transparent mode as well
  Does not participate in multicast. However, it allows passing the multicast traffic through it using the ACLs.
  Does not support QoS.
  Inspects Layer 2 and higher packet headers
  as long as u can use
  policy-map global_policy
  then u can integrate with IPS if u mean AIP-ssm modul
  transparent also known as a Layer 2 firewall or a stealth firewall, because its
  interfaces have no IP addresses and cannot be detected or manipulated. Only a single
  management address can be configured on the firewall
  In transparent mode, a firewall can support only two interfaces-the inside and the outside. If
  your firewall supports more than two interfaces from a physical and licensing standpoint, you
  can assign the inside and outside to two interfaces arbitrarily. As soon as those interfaces are
  configured, the firewall does not permit a third interface to be configured.
  Some platforms also support a dedicated management interface, which can be used for all
  firewall management traffic. However, the management interface cannot be involved in
  accepting or inspecting user traffic
  Configure a management address:
  Firewall(config)# ip address ip_address subnet_mask
  The firewall can support only a single IP address for management purposes. The address is
  not bound to an interface, as in routed mode. Rather, it is assigned to the firewall itself,
  accessible from either of the bridged interfaces.
  The management address is used for all types of firewall management traffic, such as Telnet,
  SSH, HTTP, SNMP, Syslog, TFTP, FTP, and so on.
  A transparent firewall can also support multiple security contexts. In that case, interface IP
  addresses must be configured from the respective context. The system execution space uses
  the admin context interfaces and IP addresses for its management traffic
  You do not have to configure a static route for the subnet directly connected to the firewall
  interfaces. However, you should define one static route as a default route toward the outside
  public network
  i wish i covered all ur questions
  good luck
  if helpful Rate

• Trying to figure out whether I can use an ASA cluster in Transparent mode to facilitate VRF based network ??

  Hi Guys,
  I had to re-post this here because I did not get any comments earlier.. hopefully I'll get something here.. :)
  I'm investigating the ways that I can use 2 x ASA (5525x) to accommodate Multi-tenancy situation with overlapping addresses. Unfortunately in this particular scenario we have to stick with 5525x firewalls.
  The ASAs are going to be placed in north-south traffic path between 2 routers and these routers need to be configured with multiple VRFs to segregate the traffic for each tenant with overlapping IP subnets ( We are not looking at NAT as a workaround for the time being).
  As we know, this ASA model won't support VRFs so we can't use the ASA as a intermediary routing hop and therefore this is not an option.. and using security contexts per VRF seems not scale-able enough (correct me if I'm wrong). So my thinking is that, if we put the ASAs in to the transparent mode and just use the ASAs as a layer 2 interconnect (configured with different VLANs connecting VRFs served by top and bottom routers)  I should be able to go up to maximum of 50 VRFs (since 5525x only supports 200 VLANs).  
  I'm also planning to use the 2 ASAs in a cluster mode to aggregate the bandwidth of both ASAs for better throughput.
  So I need to clarify following with you guys.. 
  1) Can I actually do this or am I missing something.
  2) Are there any limitations that I might run in to with this setup
  3) Is there anyone out there who's doing the same thing or can you think of a better way to tackle this scenario (with same hardware and requirements)
  4) Instead of using clustering, can I use simple Active/Stanby pare and still configure transparent mode and use it that way ?
  Appreciate your input.
  Thanks
  Shamal 

  There is a limitation on how many context you can have, which depends on the license you have.  This is quite possible with ASA multi routed mode and even with multi transparent mode.  You can have overlapping ip in each context without the need of using nat as long as you have unique mac address for each sub interface.
  Thanks

• ASA transparent mode with secondary IP on the router

  Hi
  I have
  Router --- ASA (Transparent)----Switch
  and just wonder if it is possible to configure secondary IP on the router interface which is connected to ASA
  so there is plenty of room in terms of LAN IP range.
  Or to implement this, do I have change ASA to context mode and modify configuration on the ASA?
  hope I do not have to change anything on the ASA.
  Thanks

  ASA in transparant mode work as L2 device
  so what ever ips u use dosent matter
  u dont need to change anything in the ASA while it is in transperant mod
  but be careful of what is allowed to be passed through the firewall
  u can control it by ACLs
  the router and the switch u have will operat in L3 as thy connected directly or nothing between them from routing and layer three prespective
  so they shoud be in the same subnet VLAN and so on
  good lcuk
  please, if helpful rate

• Can a Transparent mode firewall use /30 and still work.

  Here is my question, I have a ASA 5510 that is connected to my ISP and the inside interface that is connected to my router.  I have a /30 and need to determine if the configuration of x.x.x.121/30 which is my ISP and also the BVI address on the ASA.  The inside router address is x.x.x.122/30 same subnet as my ISP will allow me to pass traffic.  Management interface works using a different ip address but not able to get the traffic to pass traffic out to the internet thru the ASA
  ISP-------->ASA-------->Router 
  Bottom Line is that I only have one usable address that is being used by the router and the ISP and ASA are using the other.  Will this work?

  Transparent firewall needs a management ip address in the same subnet as the passing traffic. Also please check the vlans of the switch port (if any) of the outside and inside interfaces. The vlans needs to be different for both interfaces.
  Posted by WebUser Fawad Khan from Cisco Support Community App

• ASA Routed/Transparent Mode - Advice

  Hi guys,
  I'm looking for some advice regarding the deployment of an ASA. I have two networks separated by a routed link (layer 3 switch to layer 3 switch). I would like to deploy an ASA between the two networks for increased security. I'm leaning toward transparent mode so I don't have to have an additional IP subnetwork configured, and because deployment seems a little 'easier'.
  I would welcome any feedback.
  Thanks.

  Hi,
  So there is 2 networks which are separated by a routed link between the L3 switches? Have you considered simply moving the LAN and Link networks IP address to a Routed Mode ASAs interfaces when inserting it between these networks or is there something on the L3 switch that prevents this?
  Naturally you can use the ASA in Transparent Mode also. I have not deployed Transparent ASAs as usually the Routed Mode has been required. Even firewalls installed to internal networks (like between factory automation and office networks) have always been in Routed mode.
  Looking at the ASA Configuration Guide the limitations set by the Transparent Mode are not something that would prevent us from using them instead of the current setups. I would imagine that the most important limitation in many setups has usually been the fact that the VPN is not supported in Transparent mode though I guess in your case that would not be a problem.
  The ASA Configuration Guide section on Transparent mode (guidelines/limitations) can be found here:
  http://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/general/asa-general-cli/intro-fw.html#pgfId-1501525
  - Jouni

• ASA Transparent Mode

  Hi Guys
  On the ASA running  the 8.4.4.1 code in transparent mode.
  Can I create sub interfaces in different vlans and attach them to different BVI groups?
  switch---trunk---ASA---Trunk---switch
  Gig0/1.1 vlan 100 bridge-gr1          Gig0/2.1 vlan 101 bridge-gr1
  Gig0/1.2 vlan 200 bridge-gr2          Gig0/2.2 vlan 201 bridge-gr2
  Is this possible?
  Thanks

  Hi,
  Yes you can do that. Please refer the below mentioned guide for better understanding.
  http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/interface_complete_transparent.html
  Please do rate if the given information helps.
  By
  Karthik

• ASA 55xx in transparent mode - switch ARP table?

  Guys,
  It's a basic question about how transparent mode firewalls communicate with the connecting switches.
  My understanding is that if I separate the LAN eg. 10.1.1.x with a transparent firewall than it will only "snoop" the traffic and will not change anything in the Ethernet header.
  Is it correct or still will replace the MAC address with the firewall physical interface address to send the frame to the connecting switch?
  e.g.
  client--------->switch------->transparent 5510-------->switch---------->server
  10.1.1.1                                                                                              10.1.1.100
  When the client sends the ARP to look up the hardware address of the server then what will that received back?
  The MAC address of the transparent ASA, or the server?
  Thank you!

  Source MAC address is never changed if the traffic is passing through same IP subnet (vlan). Here the firewall is in transparent mode and if it alter the source mac address communication will not happen. This is a very fundamental network concept. However it may recreate the same frame with same souce/destination mac addresses.