Transparent Mode Guide

Similar Messages

• ASA in transparent mode and IP addresses

  Hello,
  I need to put an ASA in transparent mode.
  Our router (managed by the carrier) routes more than one public IP class in a single VLAN.
  On the "Cisco Security Appliance Command Line Configuration guide", in "Trasnaprent Firewall Guidelines" it's written: "Each directly connected network must be on the same network".
  This means also that I can have ONLY ONE subnet that flows fron the outside and the inside, or can I have more than one class?
  If I can have only one class, the only solution is to use multiple context (and separate each classes in different interfaces)?
  Thanks a lot

  The ASA in trasparent mode works at layer 2. So it really does not care if the traffic that flows through it is from different subnet as long as the L3 devices it connects to knows how to reach these subnet. TheASA in transparent is basically a bump in the wire (a bridge) and for that reason you can only use 2 interfaces on the ASA in transparent implementation.
  P.S. When people see attitude in your threads, they will refrain from answering your question. That's for future reference.

• Transparent mode with AIP-SSM-20

  I currently have an ASA5510 in routed mode with an AIP-SSM-20.
  There is a requirement to use a fibre optic connection between this ASA and another ASA across campus, so the AIP-SSM will have to be removed and replaced with the SSM-4GE.  This part should present no issue.
  However, this will remove the IPS device, and I still want to use IPS.
  So, what I am thinking is to get another ASA5510, install the AIP-SSM, configure ASA for transparent mode and put it in between the inside of the routed ASA and my LAN.  The transparent ASA would be functioning strictly as an IPS appliance.
  Setup would look something like this:
  Internal LAN <> transparent ASA with IPS <> routed ASA <> WAN
  Can the AIP-SSM still perform IPS with the ASA in transparent mode?
  Is there a way to configure the ASA and AIP-SSM such that traffic to/from a particular server completely bypasses the AIP-SSM?
  I have a couple of fileservers that generate heavy traffic and could overload the AIP-SSM.
  Regards.

  AFAIR, There is no problem to setup AIP in a transparent firewall.
  "An ASA in transparent mode can run an AIP.  In the event the AIP fails,
  the IPS will fail-open and the ASA will continue to pass traffic.
  However, if an interface or cable fails, then traffic will stop.  You
  would need a failover pair to account for this failure event, which
  means another ASA and matching AIP."
  And no there is no problem to exclude certain hosts/ports/subnets from inspection by IPS via MPF.
  http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ips.html#wp1050744
  What I however consider however is if the ASAs 5510 as second tier firewall for 5520s will be enough.
  http://www.cisco.com/en/US/products/ps6120/prod_models_comparison.html
  HTH,
  Marcin

• ASA Routed/Transparent Mode - Advice

  Hi guys,
  I'm looking for some advice regarding the deployment of an ASA. I have two networks separated by a routed link (layer 3 switch to layer 3 switch). I would like to deploy an ASA between the two networks for increased security. I'm leaning toward transparent mode so I don't have to have an additional IP subnetwork configured, and because deployment seems a little 'easier'.
  I would welcome any feedback.
  Thanks.

  Hi,
  So there is 2 networks which are separated by a routed link between the L3 switches? Have you considered simply moving the LAN and Link networks IP address to a Routed Mode ASAs interfaces when inserting it between these networks or is there something on the L3 switch that prevents this?
  Naturally you can use the ASA in Transparent Mode also. I have not deployed Transparent ASAs as usually the Routed Mode has been required. Even firewalls installed to internal networks (like between factory automation and office networks) have always been in Routed mode.
  Looking at the ASA Configuration Guide the limitations set by the Transparent Mode are not something that would prevent us from using them instead of the current setups. I would imagine that the most important limitation in many setups has usually been the fact that the VPN is not supported in Transparent mode though I guess in your case that would not be a problem.
  The ASA Configuration Guide section on Transparent mode (guidelines/limitations) can be found here:
  http://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/general/asa-general-cli/intro-fw.html#pgfId-1501525
  - Jouni

• FWSM in Transparent mode help

  Hi all,
  i am actually designing for a new solution based on 6509 Switch with FWSM module, here is what i have :
  FWSM will be used in Transparent mode with two bridge group : 1 , 2 as mentioned on the image, i wonder if this is a correct deisgn or not, is this will work with no probleme with these two trunk links ?
  i've seen on the guidelines of this url :
  http://www.cisco.com/en/US/docs/security/fwsm/fwsm22/configuration/guide/fwmode.html#wp1184961
  "The transparent FWSM uses an inside interface and an outside interface only. "
  is it applicable in my case,
  any other information will be welcome.
  Thanks for help

  Hi,this is sample configuration.
  6509A:
  vlan 256
  name FWoutside
  int vlan 256
  ip addr 98.1.1.252 255.255.255.0
  6509B:
  vlan 255
  name FWinside
  int vlan 255
  ip addr 98.1.1.251 255.255.255.0
  firewall module 3 vlan-group 16,32
  firewall vlan-group 16 255
  firewall vlan-group 32 256
  FW:
  firewall transparent
  nameif vlan256 outside security0
  nameif vlan255 inside security100
  access-list ACL_IN extended permit ip any any
  access-group ACL_IN in interface outside
  access-group ACL_IN in interface inside
  6509B:
  6509B#ping 98.1.1.252
  Type escape sequence to abort.
  Sending 5, 100-byte ICMP Echos to 98.1.1.252, timeout is 2 seconds:
  Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms
  6509B#

• ASA Transparent Mode

  Hi Guys
  On the ASA running  the 8.4.4.1 code in transparent mode.
  Can I create sub interfaces in different vlans and attach them to different BVI groups?
  switch---trunk---ASA---Trunk---switch
  Gig0/1.1 vlan 100 bridge-gr1          Gig0/2.1 vlan 101 bridge-gr1
  Gig0/1.2 vlan 200 bridge-gr2          Gig0/2.2 vlan 201 bridge-gr2
  Is this possible?
  Thanks

  Hi,
  Yes you can do that. Please refer the below mentioned guide for better understanding.
  http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/interface_complete_transparent.html
  Please do rate if the given information helps.
  By
  Karthik

• ASA Transparent Mode - Stateful Inspection

  Hi Community,
  I would appreciate any input other may be able to provide on the behaviour of ASA when in Transparent mode.
  I have a few scenarios and am looking to confirm stateful inspection behaviour for.
  By default I shall block all traffic.
  1 - Flow initiated Inside to outside (Higher to Lower security interface)
       - Rule on inside
  2 - Flow Initiated Outside to Inside (Lower to Higher security interface)
       - Rule on Outside
       - Appears to require rule on inside to allow response - No Stateful inspection
  3 - Flow initiated Inside to Outside - With Application inspection (Higher to Lower)
       - Rule on inside + App inspection
  4 - Flow initiated Outside to Inside - With Application Inspection (Lower to Higher)
       - Rule on outside + App Inspection
       - Appears to require rule on inside to allow response - No Stateful Inspection
  The references guide could do with some clarification around transparent behaviour.
  Many thanks

  Hello,
  For flow innitiated on the inside to the outside you do not need an acl on the outside for the returning traffic, that is the main idea of the stateful inspection.
  As soon as you do not have any ACLs applied to the inside interface this will be like this:
  1 - Flow initiated Inside to outside (Higher to Lower security interface)
  2 - Flow Initiated Outside to Inside (Lower to Higher security interface)
       - Rule on Outside
       - Appears to require rule on inside to allow response - No Stateful inspection
  3 - Flow initiated Inside to Outside - With Application inspection (Higher to Lower)
      App inspection
  4 - Flow initiated Outside to Inside - With Application Inspection (Lower to Higher)
       - Rule on outside + App Inspection
  Regards,

• The difference between VTP server and transparent mode on Catalyst Switch.

  Hello 
  I have a question about the difference between VTP server mode and VTP transparent mode on general catalyst switch.
  Basically VTP server mode can create and modify VLAN configuration but  actually there is not any VLAN configuration through running-config, is it true?  When I checked it on Cat3550, certainly there is not VLAN configuration on VTP server mode. But VTP transparent can create VLAN and configuration but does not synchronize with other switch VLAN status. I appreciate any related information and reason of the VTP server mode specification, thank you very much.
  [VTP Transparent mode]
  3550#sh vtp status
  VTP Version                     : 2
  Configuration Revision          : 0
  Maximum VLANs supported locally : 1005
  Number of existing VLANs        : 27
  VTP Operating Mode              : Transparent
  VTP Domain Name                 :
  VTP Pruning Mode                : Disabled
  VTP V2 Mode                     : Disabled
  VTP Traps Generation            : Disabled
  *omit
  3550#
  3550#sh run
  Building configuration...
  *omit
  vlan 99
   name TEST-VLAN
  [VTP Server mode]
  3550#sh vtp status
  VTP Version                     : 2
  Configuration Revision          : 0
  Maximum VLANs supported locally : 1005
  Number of existing VLANs        : 27
  VTP Operating Mode              : Server
  VTP Domain Name                 :
  VTP Pruning Mode                : Disabled
  VTP V2 Mode                     : Disabled
  VTP Traps Generation            : Disabled
  *omit
  3550#
  3550#sh run
  Building configuration...
  *no VLAN like above configuration on VTP transparent mode.
  Best Regards,
  Masanobu Hiyoshi

  Hi mhiyoshi,
  3550#sh vtp status
  VTP Version                     : 2
  Configuration Revision          : 0
  Maximum VLANs supported locally : 1005
  Number of existing VLANs        : 27
  VTP Operating Mode              : Transparent
  VTP Domain Name                 :
  VTP Pruning Mode                : Disabled
  VTP V2 Mode                     : Disabled
  VTP Traps Generation            : Disabled
  *omit
  3550#
  3550#sh run
  Building configuration...
  *omit
  vlan 99
   name TEST-VLAN
  The above out put indicates that Vlan is created and then mode changed to transparent. i.e why revision no is 0.
  3550#sh vtp status
  VTP Version                     : 2
  Configuration Revision          : 0
  Maximum VLANs supported locally : 1005
  Number of existing VLANs        : 27
  VTP Operating Mode              : Server
  VTP Domain Name                 :
  VTP Pruning Mode                : Disabled
  VTP V2 Mode                     : Disabled
  VTP Traps Generation            : Disabled
  *omit
  3550#
  3550#sh run
  Building configuration...
  *no VLAN like above configuration on VTP transparent mode.
  This indicates that vlan never created in server mode nor learnt from another switch as revision no is 0

• Cisco ASA 5512 Transparent mode

                     Hi all - hope this is the right place to ask this question-
  I'm having trouble understanding how to configure an ASA 5512X in what should be a really easy way -
  I simply want the ASA to be a transparent Layer 2 "bump" in a routed link between two networks, and then I'll use the Management interface to actually see the firewall ASDM,Syslog, configure, etc.
  I have the interfaces set up thusly:
  interface GigabitEthernet0/0
  nameif UnTrustedNetwork
  security-level 0
  interface GigabitEthernet0/1
  nameif TrustedNetwork
  security-level 100
  interface Management0/0
  nameif ManagementAccess
  security-level 100
  ip address 192.168.X.Y 255.255.255.0
  management-only
  I cannot figure out how to install a default route so that interface Management0/0 with it's IP of 192.168.X.Y can be reached from
  other networks, like 10.6.X.Y, etc.
  I thought the point of a Management interface was that you could set things up in such a way that the Management interface
  was the only way you could access the firewall, and you did not have to have IP addresses on the Gig interfaces,
  (at least not in transparent mode, for NAT you obviously would have to)
  I tried to add a static route entry to 10.6.X.Y , but
  when I typed "route.." my only available destination interfaces were either TrustedNetwork or UnTrustedNetwork ??
  How do I configure the Management interface for non-local subnets to be reachable on the firewall in transparent mode?

  transparent firewall is configured differently from routed mode.
  here's a basic config required:
  firewall transparent               (erases the current config; does not require a reboot)
  interface BVI1
  ip address 192.168.10.10 255.255.255.0
  interface GigabitEthernet0
  nameif outside
  bridge-group 1
  security-level 0
  interface GigabitEthernet1
  nameif inside
  bridge-group 1
  security-level 100
  route outside 0.0.0.0 0.0.0.0 192.168.10.254
  route inside 10.0.0.0 255.0.0.0 192.168.10.100
  I think that you need a BVI interface with an IP address before the ASA starts forwarding traffic
  The old syntax (pre 8.3 or 8.2 not sure) forces only 2 interfaces and no BVI was configured... the IP was assigned in global config.
  Hope that helps,
  Patrick

• ASA Transparent mode multicast traffic in 8.2 and 8.4

  Hi,
  When i configure 8.2 in trasparent mode and deploy the a network that was wrok on EIGRP after that i found the neighborship was stop when i allow the mutlicast address and prtocol on outside interface it was start the working But when i deploy an ASA with 8.4 IOS and then allow the multicast address and protocol both the interface (Inside and outside) after that it was start working.
  So i want to know that what the reasion to allow multicast address and protocol on 8.4 IOS for both interface. I am not able to find any answer for this.

  Hi Mahesh,
  By default ASA in transparent mode do not allow any packets not having a valid EtherType greater than or equal to 0x600. As per my knowledge this concept remain same for all versions of ASA. Most control plane protocols are denied.
  ASA in transparent mode only allows ARP, broadcast traffic, TCP and UDP inspected unicast traffic.
  For EIGRP to work through transparent firewall, we need to open ACLs in both direction for multicast and unicast both type of EIGRP traffic on all versions of ASA Firewall.

• Trying to figure out whether I can use an ASA cluster in Transparent mode to facilitate VRF based network ??

  Hi Guys,
  I had to re-post this here because I did not get any comments earlier.. hopefully I'll get something here.. :)
  I'm investigating the ways that I can use 2 x ASA (5525x) to accommodate Multi-tenancy situation with overlapping addresses. Unfortunately in this particular scenario we have to stick with 5525x firewalls.
  The ASAs are going to be placed in north-south traffic path between 2 routers and these routers need to be configured with multiple VRFs to segregate the traffic for each tenant with overlapping IP subnets ( We are not looking at NAT as a workaround for the time being).
  As we know, this ASA model won't support VRFs so we can't use the ASA as a intermediary routing hop and therefore this is not an option.. and using security contexts per VRF seems not scale-able enough (correct me if I'm wrong). So my thinking is that, if we put the ASAs in to the transparent mode and just use the ASAs as a layer 2 interconnect (configured with different VLANs connecting VRFs served by top and bottom routers)  I should be able to go up to maximum of 50 VRFs (since 5525x only supports 200 VLANs).  
  I'm also planning to use the 2 ASAs in a cluster mode to aggregate the bandwidth of both ASAs for better throughput.
  So I need to clarify following with you guys.. 
  1) Can I actually do this or am I missing something.
  2) Are there any limitations that I might run in to with this setup
  3) Is there anyone out there who's doing the same thing or can you think of a better way to tackle this scenario (with same hardware and requirements)
  4) Instead of using clustering, can I use simple Active/Stanby pare and still configure transparent mode and use it that way ?
  Appreciate your input.
  Thanks
  Shamal 

  There is a limitation on how many context you can have, which depends on the license you have.  This is quite possible with ASA multi routed mode and even with multi transparent mode.  You can have overlapping ip in each context without the need of using nat as long as you have unique mac address for each sub interface.
  Thanks

• INPUT textfield does not show non-English letters with transparent mode

  INPUT textfield does not show non-English letters when i
  type, if transparent mode turn on
  this is bug of Flash Player 9?
  will this bug had be fixed?

  I just tested Firefox and Chrome on linux, i doesn't work either, but i get different weird chars: éèça
  However, on both mac and linux, if i copy the chars and paste them in the input field, it passes.

• Explain about transparent mode, single mode, multiple context mode

  You can explain about the differents of transparent mode, single mode, multiple context mode in ASA 5500? Thank you very much.

  Great question. Hope the below helps:
  Transparent Mode: In this mode, the ASA will filter traffic without requiring L3 on the ASA. This means that in your config you will not put IPs on the interfaces to be used for traffic filtering. Thus, filtering is transparent to the traffic as the traffic isn't directly routed to the firewall. Think of it like you have a server plugged into a switch. In transparent mode, you place the ASA between the server and the switch and no configuration change is required to the server. In routed mode, you place the ASA in the same physical location between the server and switch, but have to change the server to use the ASA as a default gateway.
  Single Mode: Default mode of an ASA. The ASA acts as a single firewall and all interfaces are provisioned to be managed through a single firewall configuration.
  Multiple Context Mode: The ASA is split into multiple virtual configurations. With the ASA now virtualized, you provision the physical interfaces on the ASA to the virtual firewall configured. Each context has it's own configuration seperate from the rest of the firewall. Multi-context is meant for enterprises to invest in a single piece of hardware and scale it for use as multiple security devices.
  Hope this helps. Let me know if you have anymore questions!
  -Mike
  http://cs-mars.blogspot.com

• I do have Apple Cinema 23" transparent mod. M8536  but I have to clue how to connect it to PC or current versions of MAC

  I do have Apple Cinema 23" transparent mod. M8536  but I have to clue how to connect it to PC or current versions of MAC

  You will need a DVI to ADC adapter
  <http://www.amazon.com/Apple-DVI-ADC-Display-Adapter/dp/B00011KHT2>
  If the computer does not have DVI, you will also need another adapter to connect the DVI plug to the computer.

• Connectivity Issues Cisco ASA 5515 in Transparent Mode

  Hi,
  we´re having problems with one transparent mode setup at one customer site. The ASA is equiped with a CX Module, but we´re not using it, so far in the service policy rules it was enabled and matched all traffic, but in "monitor only" mode. There is a global acl that allows any-any-IP.
  Firewall-Info:
  - ASA Version 9.1(2) 
  - Interfaces gi0/0 + gi0/2 without any interface errors
  The ASA 5515x is configured as a "bump in the wire". In general our setup is working but with beginning of the installation of the firewall the customer faces following connection issues, without the firewall no problems:
  - Connections to SAP-Servers behind the MPLS begin to drop, affected all users
  - Incoming monitoring sessions (ping/snmp) from central management are facing ping timeouts, connection timeouts
  - http downloads are stopping, Customer: it will stop responding and the download will fail.
  In general the customer describes it this way: "We do not have the best connection here so once we connected the firewall all the problems are magnified"
  I recognized, that we unconfigured the default inspection during initial setup and reconfigured this entry for the cx module. So the the default inspection with all the settings are not present any more... How important are these settings? One phenomen is, that I´ve seen a large numbers of concurrent connections that increased over time. And we already had that situation, that the firewall reached the max-conn count.
  Should I try to reconfigure the default inspection, as it ships from factory? And whats the best way to check for problems? What can be the reason for the dropping connections?
  I attached a network plan and the firewall config, hopefully, that somebody has an idea. Of course I can provide additional information...
  Best Regards
  Sebastian

  Hi Vibhor,
  thanks for your reply. Does this also affect the traffic, even the setting is set to "Monitor Only" ?
  Is it recommend to configure the default-inspection rule as a default setting? 
  Further Question: I´ve read sth. about, that service policy rules must be "reloaded" to take effect, after they have been changed. Is that right and how do I reload them?
  Here is an output from sh asp drop, do I have to care about certain values? This values result from two connected users doing some downloads over a 2Mbit connection.
  ciscoasa# show asp drop
  Frame drop:
    Invalid encapsulation (invalid-encap)                                       10
    First TCP packet not SYN (tcp-not-syn)                                     114
    TCP failed 3 way handshake (tcp-3whs-failed)                                 3
    TCP RST/FIN out of order (tcp-rstfin-ooo)                                   18
    Dst MAC L2 Lookup Failed (dst-l2_lookup-fail)                               33
    L2 Src/Dst same LAN port (l2_same-lan-port)                                260
    FP L2 rule drop (l2_acl)                                                  2958
    Interface is down (interface-down)                                        9420
    No management IP address configured for TFW (tfw-no-mgmt-ip-config)        117
    Dropped pending packets in a closed socket (np-socket-closed)               66
  Thanks
  Sebastian