topic Transparent mode implies the in Network Security

ASA Transparent Mode quick question

Federico Coto Fajardo — Tue, 12 Mar 2019 04:15:09 GMT

Hello Community,

Can you please confirm if we still have the restriction of only being able to use two interfaces when the ASA is in transparent mode?

Even in 9.2 code?

Thanks,

Transparent mode implies the

jason.loera — Wed, 28 May 2014 15:22:10 GMT

Transparent mode implies the ASA is a layer two "bump on the wire". My guess is yes, you can only use two interfaces since you're logically on the same VLAN upon entry and exit.

Thank you for your response.

Federico Coto Fajardo — Wed, 28 May 2014 15:25:38 GMT

Thank you for your response.

My understanding is that you're on the same Layer 3 subnet but on different VLANs upon entry and exit. And my confusion is that the documentation says you can have up to 8 bridge groups (each bridge group belonging to a separate subnet).

So I'm not sure if that means you can have up to 8 different DMZs directly connected to the ASA?

Bridge groups for transparent mode

8.4(1)

If you do not want the overhead of security contexts, or want to maximize your use of security contexts, you can group interfaces together in a bridge group, and then configure multiple bridge groups, one for each network. Bridge group traffic is isolated from other bridge groups. You can configure up to eight bridge groups of four interfaces each in single mode or per context.

We introduced the following commands: interface bvi , show bridge-group .

You can have multiple

jason.loera — Wed, 28 May 2014 15:41:26 GMT

You can have multiple networks connected to the back end. Cisco's documentation is confusing on this, however. In my experience, I was able to accomplish this by using a router on each end of the firewall. The internal router acted as the gateway for all of my internal networks whereas the external router was my WAN-facing router. It was more costly and not an ideal solution, but it worked.

Thank you for your help. In

Federico Coto Fajardo — Wed, 28 May 2014 15:42:21 GMT

Thank you for your help.

In version 7.x this is what the documentation says:

The transparent security appliance uses an inside interface and an outside interface only. If your platform includes a dedicated management interface, you can also configure the management interface or subinterface for management traffic only.
In single mode, you can only use two data interfaces (and the dedicated management interface, if available) even if your security appliance includes more than two interfaces.

But since release 8.4(1), you can now use Bridge Groups.
That mean the above is no longer a restriction and you can have up to 8 directly-connected DMZs?

I guess the only thing I want

Federico Coto Fajardo — Wed, 28 May 2014 15:53:27 GMT

I guess the only thing I want to know is if you can have the following:

8 subnets: 192.168.0.0/24 - 192.168.7.0/24

Each segment directly connected to the ASA, and each one having the default GW the router (not the ASA).

And if so, this means the restriction of only being able to use a single inside/outside interface is no longer there?

Basically the ASA can now handle traffic from 8 different subnets separately in transparent mode?

You're absolutely right the

Federico Coto Fajardo — Wed, 28 May 2014 16:05:38 GMT

You're absolutely right the documentation is not clear!

Can you please look at this and see if means I can use multiple physical interfaces on the ASA now in transparent mode.

Interfaces in Transparent Mode

Interfaces in transparent mode belong to a “bridge group,” one bridge group for each network. You can have up to 8 bridge groups of 4 interfaces each per context or in single mode. For more information about bridge groups, see Bridge Groups in Transparent Mode.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/general/asa-general-cli/interface-basic.html#pgfId-1324530

Yes. You can separate each

jason.loera — Wed, 28 May 2014 18:20:01 GMT

Yes. You can separate each network into a different bridge group. However, at this point, you may be better off using your ASA in routed mode. You'll have more control over internal traffic (i.e. traffic between networks) and your network is more scalable for future growth.

As for physical interfaces,

jason.loera — Wed, 28 May 2014 18:21:15 GMT

As for physical interfaces, yes. You can assign a different VLAN to each interface.

Jason, if I want to do this:

Federico Coto Fajardo — Wed, 28 May 2014 20:13:41 GMT

Jason, if I want to do this:

I have 6 different inside Layer 3 subnets that I need to pass through the ASA in transparent mode to the outside interface.

192.168.15.0/24

192.168.200.0/24 ——> ASA ——> External Network

172.16.104.0/22, etc.

I need a router on the inside of the ASA. Cannot do it directly (without the inside router). That's what you're saying?

Thanks!

According to Cisco's

jason.loera — Wed, 28 May 2014 22:53:42 GMT

According to Cisco's documentation, it's possible. However, I've never been able to get it to work. Using the ASA as the router in routed mode would accomplish this, too.