topic Re: ASA config help in Network Security

ASA config help

Antony_85 — Mon, 02 Aug 2021 02:03:40 GMT

Hi guys, I was wondering if I could get some assistance from one of the gurus here. I have switch config knowledge but not much ASA config experience. The scenario is as follows (diagram attached)

Plant Switch: I don't have access to it. It's managed by the corporate network team. They will configure VLAN20 with a tagged port.

ASA-5508-X: this is a test ASA not in the production network. Need to put this in TRANSPARENT mode and have ASDM access to it (GUI access). I have put the ASA into transparent but once I do I lose access to ASDM. I set it to factory settings and haven't done any changes yet (have ASDM access back).

2960-CX Test Switch: added VLAN20; ports are configured as ACCESS

Basically need to transfer VLAN 20 traffic through the firewall with no filtering.

Re: ASA config help

Rob Ingram — Mon, 02 Aug 2021 07:16:02 GMT

@Antony_85

Once you put the ASA in transparent mode it will reset the configuration (that is to be expected). You will need direct access to the ASA to configure the bridge group, BVI, ACL and ip address (for mgmt). The plant switch's interface will need to be an access interface, in vlan 20.

Re: ASA config help

balaji.bandi — Mon, 02 Aug 2021 09:28:41 GMT

Basically need to transfer VLAN 20 traffic through the firewall with no filtering.

Quick question before we can suggest something ? why do you need Transparent FW, if you do not required FW here ?

you can extend the VLAN to other switch using Trunk right ? what is the challenges here ?

Re: ASA config help

Antony_85 — Mon, 02 Aug 2021 23:10:42 GMT

Hi Rob,

Thank you for the response. Could you review if I got the following right? Ones I put the ASA in transparent mode I need to execute !

Switch to transparent mode enable ASDM

Config-T

Firewall Transparent

Interface bvi-1

Ip address 10.29.96.2 255.255.255.0

http server enable

http 0.0.0.0 0.0.0.0 inside

Setting passive mode

Int e0/0

Switchport access vlan 1

No shutdown

Int e0/1

Switchport access vlan 20

No shutdown

Interface vlan 1

Nameif outside

Bridge-group 1

Interface vlan 20

Nameif inside

Bridge-group 1

Re: ASA config help

Antony_85 — Mon, 02 Aug 2021 23:15:24 GMT

Hi Balaji,

Thank you for your response. The plant engineers want a firewall in between the cooperate network and the manufacturing network (2 separate subnets). Some of the PCs connected to VLAN 20 needs access to the cooperate network and some don’t. It will mainly sit as an intrusion detection device.

Re: ASA config help

Rob Ingram — Tue, 03 Aug 2021 07:31:13 GMT

@Antony_85

If you are using the FW in transparent mode, the 3 devices will need to be in the same network (10.29.96.x), the plant switch in your diagram does not appear to be. You'll also need to consider ACLs.

Re: ASA config help

balaji.bandi — Tue, 03 Aug 2021 09:37:36 GMT

If you want to extend the VLAN that is fine, You can use FW as Transparent, but i see some difference in IP address range, or do you have same IP range Layer 2 available on the same switch ?

Goog example :

https://www.networkstraining.com/cisco-asa-firewall-in-transparent-layer2-mode/

Re: ASA config help

Antony_85 — Tue, 03 Aug 2021 21:40:11 GMT

Hi Rob,

I just realize I made a mistake in the diagram. All 3 devices will be in the same subnet. I got the INSIDE working with VALN20 in transparent mode just waiting for the network team to do their part to test further.

I had to assign 192.168.1.1 to the Management interface (for ASDM access) because it wouldn't assign a 10.29.96.X IP address to it. Many thanks for the help.

Re: ASA config help

Antony_85 — Tue, 03 Aug 2021 21:43:00 GMT

Hi Balaji,

Thank you for your response. This example is exactly the setup I need. I realize (Rob pointed out) that I made a mistake in my diagram. all 3 devices will be in the same subnet (just like in the example). I managed to get the INSIDE interface working with VLAN20 just waiting for the network team to do their part to test further. Thank you again for the help.

Re: ASA config help

balaji.bandi — Wed, 04 Aug 2021 09:20:21 GMT

No worried please keep posted the outcome ..happy to help where we can ?

Re: ASA config help

Antony_85 — Wed, 04 Aug 2021 21:42:35 GMT

Thanks, mate,

The network team informed me they configured an Access port so I should be able to test the outcome today. I'll keep you guys posted

Re: ASA config help

Antony_85 — Thu, 05 Aug 2021 04:12:13 GMT

Hay guys,

So it worked. Attached below is my config. Thanks, heaps for all the advice and help. The only issue was I couldn't assign 10.29.96.X to the management interface of the ASA. So had to assign a different subnet but enable ASDM access to INSIDE interface so that works over the network.

Best regards.

Re: ASA config help

balaji.bandi — Thu, 05 Aug 2021 09:36:44 GMT

Good to know, thank you for the feedback. !