WLSM, FWSM in transparent mode, VRF's , EAPFAST and LEAP

Has anyone got any experience of all of the above.
Some background - The FWSM is in transparent mode, using virtual contexts between the VRF and the main routing table to ensure relevant mobility traffic passes through the relevant security context.
I can authenticate with LEAP via RADIUS, then obtain an IP through DHCP, ping my gateway from wireless client but not outside my VRF. If I remove the VRF from the tunnel interface associated with my mobility group all connectivity OK.
With EAPFAST I can authenticate via RADIUS, but do not get an address through DHCP. If I use a static ( and use mobility trust on tunnel interface )I can not ping my gateway. If I remove the VRF off the tunnel interface associated with this type of users mobility group, I receive an address through DHCP, and can ping merrily everywhere.
Has anybody got any thoughts if I am missing something here?

The software requirements for Cisco Secure ACS are dependent on the type of Extensible Authentication Protocol (EAP) desired. For full support of all the EAP types including EAP-Flexible Authentication via Secure Tunneling (FAST), use release 3.2.3 or higher.
http://www.cisco.com/en/US/netsol/ns340/ns394/ns431/ns434/networking_solutions_implementation_guide09186a008038906c.html

Similar Messages

Failure when FWSM in transparent mode with multiple contexts

hi experts,
We have two FWSMs working in active/standby state, configured with multiple contexts in transparent mode. and the "outside" and "inside" interfaces for each context are in same subnet.
Now we have one FWSM broken and the RMA part can't arrived in short time, so we have the risk that the sencond FWSM could be failed as well. In the worst case if the two was broken or powered off simultaneously, i wonder that if the communications between multiple contexts could be ok???
thanks in advance.

The software requirements for Cisco Secure ACS are dependent on the type of Extensible Authentication Protocol (EAP) desired. For full support of all the EAP types including EAP-Flexible Authentication via Secure Tunneling (FAST), use release 3.2.3 or higher.
http://www.cisco.com/en/US/netsol/ns340/ns394/ns431/ns434/networking_solutions_implementation_guide09186a008038906c.html

FWSM in Transparent mode help

Hi all,
i am actually designing for a new solution based on 6509 Switch with FWSM module, here is what i have :
FWSM will be used in Transparent mode with two bridge group : 1 , 2 as mentioned on the image, i wonder if this is a correct deisgn or not, is this will work with no probleme with these two trunk links ?
i've seen on the guidelines of this url :
http://www.cisco.com/en/US/docs/security/fwsm/fwsm22/configuration/guide/fwmode.html#wp1184961
"The transparent FWSM uses an inside interface and an outside interface only. "
is it applicable in my case,
any other information will be welcome.
Thanks for help

Hi,this is sample configuration.
6509A:
vlan 256
name FWoutside
int vlan 256
ip addr 98.1.1.252 255.255.255.0
6509B:
vlan 255
name FWinside
int vlan 255
ip addr 98.1.1.251 255.255.255.0
firewall module 3 vlan-group 16,32
firewall vlan-group 16 255
firewall vlan-group 32 256
FW:
firewall transparent
nameif vlan256 outside security0
nameif vlan255 inside security100
access-list ACL_IN extended permit ip any any
access-group ACL_IN in interface outside
access-group ACL_IN in interface inside
6509B:
6509B#ping 98.1.1.252
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 98.1.1.252, timeout is 2 seconds:
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms
6509B#

FWSM in transparent mode

i find in cisco site document about transparent mode .link as follow:
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/mod_icn/fwsm/fwsm_2_3/fwsm_cfg/fwmode.htm#wp1184961
it said:
The Firewall Services Module (FWSM) connects the same network on its inside and outside ports but uses different VLANs on the inside and outside
how can i config two different vlan belong to same network?
is there somebody give me a example.
thank you very much

Hi,this is sample configuration.
6509A:
vlan 256
name FWoutside
int vlan 256
ip addr 98.1.1.252 255.255.255.0
6509B:
vlan 255
name FWinside
int vlan 255
ip addr 98.1.1.251 255.255.255.0
firewall module 3 vlan-group 16,32
firewall vlan-group 16 255
firewall vlan-group 32 256
FW:
firewall transparent
nameif vlan256 outside security0
nameif vlan255 inside security100
access-list ACL_IN extended permit ip any any
access-group ACL_IN in interface outside
access-group ACL_IN in interface inside
6509B:
6509B#ping 98.1.1.252
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 98.1.1.252, timeout is 2 seconds:
Success rate is 80 percent (4/5), round-trip min/avg/max = 1/1/1 ms
6509B#

Can a Transparent mode firewall use /30 and still work.

Here is my question, I have a ASA 5510 that is connected to my ISP and the inside interface that is connected to my router. I have a /30 and need to determine if the configuration of x.x.x.121/30 which is my ISP and also the BVI address on the ASA. The inside router address is x.x.x.122/30 same subnet as my ISP will allow me to pass traffic. Management interface works using a different ip address but not able to get the traffic to pass traffic out to the internet thru the ASA
ISP-------->ASA-------->Router
Bottom Line is that I only have one usable address that is being used by the router and the ISP and ASA are using the other. Will this work?

Transparent firewall needs a management ip address in the same subnet as the passing traffic. Also please check the vlans of the switch port (if any) of the outside and inside interfaces. The vlans needs to be different for both interfaces.
Posted by WebUser Fawad Khan from Cisco Support Community App

ASA 5510 in Transparent Mode-Guidelines.

Dear all,
I need to convert routed mode to transparent mode on my ASA-5510 with inbuilt IPS.
let me know which of the following features configured on my firewall will have issue if converted to transparent mode:
1. static routes.
2. object-groups.
3. ACLS.
4. URL-filter (Websense).
5. IPS . ( i doubt this )
6. have 3 data and 1 Mgmt interfaces.
7. syslog.
8. SNMP
I'm sure point 5 and 6 will have issues, need to confirm.
need to confirm this by EOD,
( 5 hours more).
thanks in advance.
Shukla.

Does not participate in routing protocols but can still pass routing protocol traffic through it. You can define static routes for the traffic originated by the ASA.
in transparante mode the devices dehind and infront of the firewall will be in the same ip subnet as the firewall will be a L2 device!!
ACLs can be configured normally
syslog as well
obgect groups as well
Address translation is inherent when a firewall is configured for routed mode. Beginning with
ASA 8.0, address translation can be used in transparent mode as well
Does not participate in multicast. However, it allows passing the multicast traffic through it using the ACLs.
Does not support QoS.
Inspects Layer 2 and higher packet headers
as long as u can use
policy-map global_policy
then u can integrate with IPS if u mean AIP-ssm modul
transparent also known as a Layer 2 firewall or a stealth firewall, because its
interfaces have no IP addresses and cannot be detected or manipulated. Only a single
management address can be configured on the firewall
In transparent mode, a firewall can support only two interfaces-the inside and the outside. If
your firewall supports more than two interfaces from a physical and licensing standpoint, you
can assign the inside and outside to two interfaces arbitrarily. As soon as those interfaces are
configured, the firewall does not permit a third interface to be configured.
Some platforms also support a dedicated management interface, which can be used for all
firewall management traffic. However, the management interface cannot be involved in
accepting or inspecting user traffic
Configure a management address:
Firewall(config)# ip address ip_address subnet_mask
The firewall can support only a single IP address for management purposes. The address is
not bound to an interface, as in routed mode. Rather, it is assigned to the firewall itself,
accessible from either of the bridged interfaces.
The management address is used for all types of firewall management traffic, such as Telnet,
SSH, HTTP, SNMP, Syslog, TFTP, FTP, and so on.
A transparent firewall can also support multiple security contexts. In that case, interface IP
addresses must be configured from the respective context. The system execution space uses
the admin context interfaces and IP addresses for its management traffic
You do not have to configure a static route for the subnet directly connected to the firewall
interfaces. However, you should define one static route as a default route toward the outside
public network
i wish i covered all ur questions
good luck
if helpful Rate

Trying to figure out whether I can use an ASA cluster in Transparent mode to facilitate VRF based network ??

Hi Guys,
I had to re-post this here because I did not get any comments earlier.. hopefully I'll get something here.. :)
I'm investigating the ways that I can use 2 x ASA (5525x) to accommodate Multi-tenancy situation with overlapping addresses. Unfortunately in this particular scenario we have to stick with 5525x firewalls.
The ASAs are going to be placed in north-south traffic path between 2 routers and these routers need to be configured with multiple VRFs to segregate the traffic for each tenant with overlapping IP subnets ( We are not looking at NAT as a workaround for the time being).
As we know, this ASA model won't support VRFs so we can't use the ASA as a intermediary routing hop and therefore this is not an option.. and using security contexts per VRF seems not scale-able enough (correct me if I'm wrong). So my thinking is that, if we put the ASAs in to the transparent mode and just use the ASAs as a layer 2 interconnect (configured with different VLANs connecting VRFs served by top and bottom routers) I should be able to go up to maximum of 50 VRFs (since 5525x only supports 200 VLANs).
I'm also planning to use the 2 ASAs in a cluster mode to aggregate the bandwidth of both ASAs for better throughput.
So I need to clarify following with you guys..
1) Can I actually do this or am I missing something.
2) Are there any limitations that I might run in to with this setup
3) Is there anyone out there who's doing the same thing or can you think of a better way to tackle this scenario (with same hardware and requirements)
4) Instead of using clustering, can I use simple Active/Stanby pare and still configure transparent mode and use it that way ?
Appreciate your input.
Thanks
Shamal

There is a limitation on how many context you can have, which depends on the license you have. This is quite possible with ASA multi routed mode and even with multi transparent mode. You can have overlapping ip in each context without the need of using nat as long as you have unique mac address for each sub interface.
Thanks

Design FWSM in transparent or routed mode in the DC !!!

Hi guys ,i was wondering with so many security zones in the server farm or DC and according to FWSM's capability of supporting only two interfaces in transparent mode which design is really the best one? i mean using multiple context in transparent mode or just using the whole system in routed mode ???
Thanks in advance ,...

As per my experiance, there should be real justice and need to go for Transperent mode. To fully utilize the box capability and to play around with your network, always prefer Routed mode. Transperent mode is also difficult to trouble shoot.
Choose transperent mode to insert a firewall in a previously unprotected network, and to put firewall without out disturbing the network..
regards
Prasad

VRF issue with Firewall in transparent Mode.

Hi Guys,
I have 7609 Router and 6513 L3 Switch connected Through ASA 5545.
I am running Multiple VRF between router and Switch and BGP routing Protocol. When they are connected directly to each other everything is normal, however, when I have connected them via ASA 5545 then everything fails. I am using ASA in transparent Mode.
My question is: Do ASA require different setting in case of VRF? If yes, then please give me sample config.

I have taken following output from Firewall will this be any help?
sh interface ouTSIDE
Interface GigabitEthernet0/1 "OUTSIDE", is up, line protocol is up
Hardware is i82574L rev00, BW 1000 Mbps, DLY 10 usec
        Auto-Duplex(Full-duplex), Auto-Speed(1000 Mbps)
        Input flow control is unsupported, output flow control is off
        MAC address 7c69.f68f.df78, MTU 1500
        IP address 175.4.8.35, subnet mask 255.255.255.248
        8435 packets input, 680680 bytes, 0 no buffer
        Received 8135 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 pause input, 0 resume input
        8138 L2 decode drops
        0 packets output, 0 bytes, 0 underruns
        0 pause output, 0 resume output
        0 output errors, 0 collisions, 1 interface resets
        0 late collisions, 0 deferred
        0 input reset drops, 0 output reset drops
        input queue (blocks free curr/low): hardware (476/461)
        output queue (blocks free curr/low): hardware (511/511)
Traffic Statistics for "OUTSIDE":
        297 packets input, 118503 bytes
        0 packets output, 0 bytes
        297 packets dropped
      1 minute input rate 0 pkts/sec, 13 bytes/sec
      1 minute output rate 0 pkts/sec, 0 bytes/sec
      1 minute drop rate, 0 pkts/sec
      5 minute input rate 0 pkts/sec, 6 bytes/sec
      5 minute output rate 0 pkts/sec, 0 bytes/sec
      5 minute drop rate, 0 pkts/sec
ciscoasa# show asp drop
Frame drop:
FP L2 rule drop (l2_acl)                                                   297
ASA Version 9.0(1)
firewall transparent
ciscoasa# show module all
Mod Card Type                                    Model              Serial No.
0 ASA 5545-X with SW, 8 GE Data, 1 GE Mgmt     ASA5545
ips ASA 5545-X IPS Security Services Processor   ASA5545-IPS
Mod MAC Address Range                 Hw Version   Fw Version   Sw Version
0 7c69.f68f.df77 to 7c69.f68f.df80 1.0          2.1(9)8      9.0(1)
ips 7c69.f68f.df75 to 7c69.f68f.df75 N/A          N/A          7.1(4)E4
Mod SSM Application Name           Status           SSM Application Version
ips IPS                            Up               7.1(4)E4
Mod Status             Data Plane Status     Compatibility
0 Up Sys             Not Applicable
ips Up                 Up
Mod License Name   License Status Time Remaining
ips IPS Module     Enabled         perpetual
ciscoasa#
I have create Ehtertype ACL and permit any traffic.
cdp traffic has passed through but I am still not able to ping :(

Using Clustered ASAs in Transparent mode to support VRF based Network ?

Hi Guys,
I'm investigating the ways that I can use 2 x ASA (5525x) to accommodate Multi-tenancy situation with overlapping addresses. Unfortunately in this particular scenario we have to stick with 5525x firewalls.
The ASAs are going to be placed in north-south traffic path between 2 routers and these routers need to be configured with multiple VRFs to segregate the traffic for each tenant with overlapping IP subnets ( We are not looking at NAT as a workaround for the time being).
As we know, this ASA model won't support VRFs so we can't use the ASA as a intermediary routing hop and therefore this is not an option.. and using security contexts per VRF seems not scale-able enough (correct me if I'm wrong). So my thinking is that, if we put the ASAs in to the transparent mode and just use the ASAs as a layer 2 interconnect (configured with different VLANs connecting VRFs served by top and bottom routers) I should be able to go up to maximum of 50 VRFs (since 5525x only supports 200 VLANs).
I'm also planning to use the 2 ASAs in a cluster mode to aggregate the bandwidth of both ASAs for better throughput.
So I need to clarify following with you guys..
1) Can I actually do this or am I missing something.
2) Are there any limitations that I might run in to with this setup
3) Is there anyone out there who's doing the same thing or can you think of a better way to tackle this scenario (with same hardware and requirements)
4) Instead of using clustering, can I use simple Active/Stanby pare and still configure transparent mode and use it that way ?
Appreciate your input.
Thanks
Shamal

Is any expert out there who can answer my query ?. Much appreciated.

MAC address and the CAM entries on the Layer 3 FWSM(Transparent mode)

Hi,
With refrence of Cisco Secure Firewall Services Module (FWSM) of Cisco Press book it's mentioned that
"While configuring the transparent mode in FWSM, it is important to specify the MAC address and the CAM entries on the Layer 3 next hop device of FWSM."
This part of configuration is not very much clear to me please let me know the logic of this things
The following are two examples:
Layer 3 Device A (PFC) at the Outside Security Domain
! IP address of the next hop for the outside security domain
interface Vlan20
mac-address 0000.0000.0001
ip address 10.10.1.1 255.255.255.0
! Specify the IP address and MAC address at the first hop layer 3 interface
! of the inside security domain
arp 10.10.1.21 0000.0000.0001 ARPA
Layer 3 Device B at the Inside Security Domain
! IP address of the next hop for the inside security domain
interface Vlan21
mac-address 0000.0000.0021
ip address 10.10.1.21 255.255.255.0
! Specify the IP address and MAC address defined at the first hop interface
! of the outside security domain
arp 10.10.1.21 0000.0000.0002 ARPA
Regards
Chris

Check the serial # reported by Sys Info against the serial # printed on the bottom of the case. I bet they are not the same. The service center did not change the serial # on that new Logic board to match the REAL serial number of your Mac.
So when you try to go to the MAS it looks like a completely different Mac which is not registered under your Apple ID.
If the above is true, the serials being different, then you need to take it back and have that changed to your REAL serial number.

Transparent Mode Guide

hi,
anyone here already has a summarized procedure on how to configure Ironport on Transparent Mode?
I assume that all existing proxies are supported by ironport if im going to have the WSA in transparent mode
Please post. if you already have one..
thank you

Hi Jon,
Thanks for the reply.
I have read two documents, one was 180 pages and the other one was over 400. I am not able to understand how to get the 6509 to communicate with the FWSM.
This is my Scenario:
I have to issue the "session slot 3 processor 1" command in order to get to the FWSM.
When there, i can see the following:
Version: Device Manager Version 5.2(4)F
Firewall Status:
FWSM# sho fire
Context Mode
admin Transparent
FWSM#
This is what I'm trying to do:
I have A client is renting a server and he is expecting some DDoS and so forth, i want to put him behind the FWSM.
He is right now sitting on vlan 473. This is a L3 Switch, so vlan 473 exists on L2 and obviously an SVI (interface vlan) with the following configuration:
Router.(config-if)#do svlan 473
Building configuration...
Current configuration : 201 bytes
interface Vlan473
description 04001021613.PRIVATELAYER.CH
ip address 31.7.61.177 255.255.255.240
ip access-group SPAM out
no ip redirects
no ip proxy-arp
ipv6 address 2A02:29B8:2118::1/48
end
Router.(config-if)#
I am aware that in routed mode you have to add the same vlans to the FWSM and so forth, but in transparent mode, honestly i am clueless.
Its stated that i have to use TWO interfaces and configure the same IPs on each (...) in routed mode i know its not possible, but in transparent mode it is somehow.
NOTE: I am only a CCNA but have done a LOT of research on the topic, I have not found a step-by-step guide not even in the CCNP or CCIE training videos out there. (i have over 40GB of Cisco videos...getting frustrated)
Any help is appreciated.
Thanks,
Ezequiel

The difference between VTP server and transparent mode on Catalyst Switch.

Hello
I have a question about the difference between VTP server mode and VTP transparent mode on general catalyst switch.
Basically VTP server mode can create and modify VLAN configuration but actually there is not any VLAN configuration through running-config, is it true? When I checked it on Cat3550, certainly there is not VLAN configuration on VTP server mode. But VTP transparent can create VLAN and configuration but does not synchronize with other switch VLAN status. I appreciate any related information and reason of the VTP server mode specification, thank you very much.
[VTP Transparent mode]
3550#sh vtp status
VTP Version : 2
Configuration Revision : 0
Maximum VLANs supported locally : 1005
Number of existing VLANs : 27
VTP Operating Mode : Transparent
VTP Domain Name :
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
*omit
3550#
3550#sh run
Building configuration...
*omit
vlan 99
name TEST-VLAN
[VTP Server mode]
3550#sh vtp status
VTP Version : 2
Configuration Revision : 0
Maximum VLANs supported locally : 1005
Number of existing VLANs : 27
VTP Operating Mode : Server
VTP Domain Name :
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
*omit
3550#
3550#sh run
Building configuration...
*no VLAN like above configuration on VTP transparent mode.
Best Regards,
Masanobu Hiyoshi

Hi mhiyoshi,
3550#sh vtp status
VTP Version : 2
Configuration Revision : 0
Maximum VLANs supported locally : 1005
Number of existing VLANs : 27
VTP Operating Mode : Transparent
VTP Domain Name :
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
*omit
3550#
3550#sh run
Building configuration...
*omit
vlan 99
name TEST-VLAN
The above out put indicates that Vlan is created and then mode changed to transparent. i.e why revision no is 0.
3550#sh vtp status
VTP Version : 2
Configuration Revision : 0
Maximum VLANs supported locally : 1005
Number of existing VLANs : 27
VTP Operating Mode : Server
VTP Domain Name :
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
*omit
3550#
3550#sh run
Building configuration...
*no VLAN like above configuration on VTP transparent mode.
This indicates that vlan never created in server mode nor learnt from another switch as revision no is 0

Cisco ASA 5512 Transparent mode

Hi all - hope this is the right place to ask this question-
I'm having trouble understanding how to configure an ASA 5512X in what should be a really easy way -
I simply want the ASA to be a transparent Layer 2 "bump" in a routed link between two networks, and then I'll use the Management interface to actually see the firewall ASDM,Syslog, configure, etc.
I have the interfaces set up thusly:
interface GigabitEthernet0/0
nameif UnTrustedNetwork
security-level 0
interface GigabitEthernet0/1
nameif TrustedNetwork
security-level 100
interface Management0/0
nameif ManagementAccess
security-level 100
ip address 192.168.X.Y 255.255.255.0
management-only
I cannot figure out how to install a default route so that interface Management0/0 with it's IP of 192.168.X.Y can be reached from
other networks, like 10.6.X.Y, etc.
I thought the point of a Management interface was that you could set things up in such a way that the Management interface
was the only way you could access the firewall, and you did not have to have IP addresses on the Gig interfaces,
(at least not in transparent mode, for NAT you obviously would have to)
I tried to add a static route entry to 10.6.X.Y , but
when I typed "route.." my only available destination interfaces were either TrustedNetwork or UnTrustedNetwork ??
How do I configure the Management interface for non-local subnets to be reachable on the firewall in transparent mode?

transparent firewall is configured differently from routed mode.
here's a basic config required:
firewall transparent (erases the current config; does not require a reboot)
interface BVI1
ip address 192.168.10.10 255.255.255.0
interface GigabitEthernet0
nameif outside
bridge-group 1
security-level 0
interface GigabitEthernet1
nameif inside
bridge-group 1
security-level 100
route outside 0.0.0.0 0.0.0.0 192.168.10.254
route inside 10.0.0.0 255.0.0.0 192.168.10.100
I think that you need a BVI interface with an IP address before the ASA starts forwarding traffic
The old syntax (pre 8.3 or 8.2 not sure) forces only 2 interfaces and no BVI was configured... the IP was assigned in global config.
Hope that helps,
Patrick

ASA Transparent mode multicast traffic in 8.2 and 8.4

Hi,
When i configure 8.2 in trasparent mode and deploy the a network that was wrok on EIGRP after that i found the neighborship was stop when i allow the mutlicast address and prtocol on outside interface it was start the working But when i deploy an ASA with 8.4 IOS and then allow the multicast address and protocol both the interface (Inside and outside) after that it was start working.
So i want to know that what the reasion to allow multicast address and protocol on 8.4 IOS for both interface. I am not able to find any answer for this.

Hi Mahesh,
By default ASA in transparent mode do not allow any packets not having a valid EtherType greater than or equal to 0x600. As per my knowledge this concept remain same for all versions of ASA. Most control plane protocols are denied.
ASA in transparent mode only allows ARP, broadcast traffic, TCP and UDP inspected unicast traffic.
For EIGRP to work through transparent firewall, we need to open ACLs in both direction for multicast and unicast both type of EIGRP traffic on all versions of ASA Firewall.

WLSM, FWSM in transparent mode, VRF's , EAPFAST and LEAP

Similar Messages

Maybe you are looking for