topic To be precise here is my in Network Security

ASA Transparent With Multiple Interfaces & Vlans

avilt — Tue, 12 Mar 2019 08:48:28 GMT

Can i use ASA-5525X in transparent mode with following situations

1. Four interfaces in the same vlan (two inside, two outside)

2. Two interfaces in one subnet and another two interfaces in another subnet

When running in transparent

Karsten Iwen — Fri, 20 Jan 2017 10:25:17 GMT

When running in transparent mode, all interfaces belong to one IP subnet. But you can use VLANs (to be more exact, subinterfaces that belong to a VLAN) to separate the systems to different firewall-interfaces. That is how I run my home-office ASA. All devices and the ESX-Server are connected to one layer2-switch and belong to the same IP subnet, but all traffic between the systems (also the virtual ones) is filtered by the transparent firewall.

But when running transparent, the ASA doesn't route any more. I've never set up it that way, but as a workaround, you could convert the ASA to multiple context mode (which gives you multiple virtual firewalls) and run one context transparent and another one routed.

1. Four interfaces in the

Marius Gunnerud — Sat, 21 Jan 2017 15:11:42 GMT

1. Four interfaces in the same vlan (two inside, two outside)

Having four interfaces in the same VLAN will not accomplish anything with regard to the transparent firewall. They would still be in the same broadcast domain so traffic will actually never go through the ASA for inspection / packet filtering. This is why you need a minimum of two VLANs for transparent firewall setup to work.

2. Two interfaces in one subnet and another two interfaces in another subnet

This is easily done, just create two BVI interfaces and then add each interface to the required bridge-group. For example, you could do something like the following:

interface BVI1
ip address 10.10.10.1 255.255.255.0

interface BVI2
ip address 10.10.11.1 255.255.255.0

int ethernet 1

security-level 100

nameif inside1

bridge-group 1

int ethernet 2

security-level 0

nameif outside1

bridge-group 1

int ethernet 3

security-level 100

nameif inside2

bridge-group 2

int ethernet 4

security-level 0

nameif outside2

bridge-group 2

Please remember to select a correct answer and rate helpful posts

To be precise here is my

avilt — Sat, 21 Jan 2017 15:47:15 GMT

Please refer the attached diagram.

Now I need to introduce a single firewall in transparent mode without context based firewall. Two ACL's. One common ACL for two outside systems and another common ACL for two Inside systems.

How can I achieve the firewall solution?

What are system A, B, C and D

Marius Gunnerud — Sat, 21 Jan 2017 15:47:16 GMT

What are system A, B, C and D? switches, routers, PCs?

you could slip the transparent firewall in between system A and systems B/C or between Systems B/C and System D. Depending on what systems B and C are you might also be able to place it between them also.

If one of the systems is a switch you could connect the ASA to the switch.

Please remember to select a correct answer and rate helpful posts

Please refer the attached

avilt — Sat, 21 Jan 2017 16:26:44 GMT

Please refer the attached diagram in the previous thread, they are just end systems.

Now I need to introduce a single firewall in transparent mode without context based firewall. Two ACL's. One common ACL for two outside systems and another common ACL for two Inside systems.

How can I achieve the firewall solution?

I am not sure if that is

Marius Gunnerud — Sat, 21 Jan 2017 16:56:32 GMT

I am not sure if that is possible with two ACLs. is using two ACLs a requirement? The issue here is that ACLs are applied on a per interface basis or use the global ACL.

Please remember to select a correct answer and rate helpful posts

With that easy setup (looks

Karsten Iwen — Sat, 21 Jan 2017 17:01:38 GMT

With that easy setup (looks now easier then in your initial request) I would use four ACLs, one per system, and each ACL controls what this device is allowed to reach.

If possible I would like to

avilt — Sat, 21 Jan 2017 19:24:13 GMT

If possible I would like to define 4 acl, each for a interface. Is it possible & what should be my transparent config?

You could do something like

Marius Gunnerud — Sat, 21 Jan 2017 20:33:32 GMT

You could do something like the following. just replace interface, nameif, and security levels as needed:

conf t

firewall transparent

int bvi 1

ip add 192.168.10.x 255.255.255.0

int e1

security-level 100

nameif inside1

bridge-group 1

no shut

int e2

security-level 80

nameif inside2

bridge-group 1

no shut

int e3

security-level 60

nameif inside3

bridge-group 1

no shut

int e4

security-level 40

nameif inside4

bridge-group 1

no shut

access-list inside1_in permit ip host 192.168.10.1 any

access-list inside2_in permit ip host 192.168.10.2 host 192.168.10.1

access-list inside2_in permit tcp host 192.168.10.2 host 192.168.10.3 eq 80

access-list inside2_in deny ip host 192.168.10.2 192.168.10.0 255.255.255.0

access-list inside2_in permit ip any any

access-list inside3_in permit udp host 192.168.10.3 host 192.168.10.2 eq 53

access-list inside3_in deny ip host 192.168.10.3 192.168.10.0 255.255.255.0

access-list inside3_in permit ip any any

access-list inside4_in deny ip host 192.168.10.4 192.168.10.0 255.255.255.0

access-list inside4_in permit ip any any

access-group inside1_in in interface inside1

access-group inside2_in in interface inside2

access-group inside3_in in interface inside3

access-group inside4_in in interface inside4

Please remember to select a correct answer and rate helpful posts