topic Transparent mode: In in Network Security

ASA5505 Transparent mode

Dustin Flint — Tue, 12 Mar 2019 05:17:55 GMT

I am trying to use a 5505 in transparent mode. I have always used routed mode previously, so I am sure I am missing something simple. Essentially we are creating a shared network space with another IT entity. We are using a class C address space in total, but splitting it in half between each group. My understanding is that if I want to have a FW on our side, i need to have it in transparent mode since it is all one address space. I am having trouble communicating with the other side. I am essentially ont the 172.16.3.128/25 suide. I am unable to pass traffic/ping the other side, 172.16.3.1. If I take the FW out completely and jsut put a router in it works fine, so I know I am missing something on the ASA configuration, and have tried all kinds of route and acl settings. A basic network layout is attached along with the FW config. Any help would be appreciated.

Transparent mode: In

Rishabh Seth — Tue, 06 Jan 2015 09:40:23 GMT

Transparent mode: In transparent mode the ASA resides on a link between two devices on same network.

As per your network design you have your ASA connecting two different networks, 172.16.3.1/25 and 172.16.3.128/25.

If you want you make two subnets communicate with each other you can use ASA in router mode itself.

If possible, provide more information about your network requirement.

Hope it helps.

In routed mode, I can not

Dustin Flint — Tue, 06 Jan 2015 12:43:20 GMT

In routed mode, I can not have an outside interface and inside interface on the same subnet, which is what I need. So If I use a /24 instead of a slash /25, and everything is in the same subnet, how do firewall rules work if I need top separate traffic from 172.16.5.1-127 from traffic from 128-254. If they are on the same subnet wont traffic just bypass the firewall since they are on the same subnet?

If your requirement is to

Rishabh Seth — Tue, 06 Jan 2015 15:53:35 GMT

If your requirement is to just separate /24 address space into two halves and monitor the traffic between these new subnets then it is possible in router mode itself.

You can assign one IP from 172.16.5.1-127/25 address space to your inside interface.

Similarly one IP from 172.16.5.128-255/25 address space to your outside interface.

And configure users sitting behind inside interface to have default gateway as inside interface's IP. Similarly configure users behind outside interface with default gateway as outside interface's IP.

When you break the subnet from /24 to /25, the communication between two /25 subnets will be through ASA. So you can configure ACLs to monitor traffic.

Hope it helps.

Risseth, thanks for the

Dustin Flint — Tue, 06 Jan 2015 16:00:42 GMT

Risseth, thanks for the response.

There lies my problem. That's how I want to do it, however, I do not have control of the 172.16.5.1-127 space, that is going to be used by another IT entity. Therefore my outside and inside interface has to be on the same subnet.

So my understanding is I have to do this in transparent mode, however I will still need to be able to filter traffic from the 172.16.5.1-127 from the 172.16.5.128-254 space I am using.

I was just going to create a bridge group with the /25 mask and assign it 172.16.5.129, with a static route to 172.16.5.1 on the other side. Then do ACLs accordingly. However, this does not seem to be working properly.

Is my thinking here incorrect?

[device1]--------[ASA]-------

Rishabh Seth — Wed, 07 Jan 2015 05:24:41 GMT

[device1]--------[ASA]-------[device2]

Are device1 and device 2 in same /25 subnet?

================================================================

refer the following link for transparent firewall:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/fwmode.html

No they are in the same /24

Dustin Flint — Wed, 07 Jan 2015 11:57:57 GMT

No they are in the same /24 subnet

Figured it out. I now have

Dustin Flint — Thu, 22 Jan 2015 15:54:37 GMT

Figured it out. I now have this working