topic ASA Transparent Mode Deployment Issue in Network Security

ASA Transparent Mode Deployment Issue

avilt — Tue, 12 Mar 2019 03:41:18 GMT

ASA Transparent Mode Deployment Issue

Marius Gunnerud — Thu, 06 Feb 2014 09:54:51 GMT

Could you please be more specific as to what does not work. How are you testing, from which IP to which IP is not working? Are you able to ping the switch from the ASA Firewall (not the transparent firewall)?

--
Please remember to rate and select a correct answer

ASA Transparent Mode Deployment Issue

avilt — Thu, 06 Feb 2014 10:03:27 GMT

Case 1:

From management PC I can ping 10.10.10.10 & 10.10.10.11 but can not ping 10.10.10.1 or 10.10.20.1

Case 2:

Remove ips and directly connect the cable from the switch (gig0/8)to asa firewall (gig0/1) on top. Now I can ping 10.10.10.1 & 10.10.20.2 segment

ASA Transparent Mode Deployment Issue

Marius Gunnerud — Thu, 06 Feb 2014 11:18:50 GMT

Well seems you have found where the issue is yourself. looks like there is a misconfiguration on the IPS.

--
Please remember to rate and select a correct answer

Re: ASA Transparent Mode Deployment Issue

avilt — Thu, 06 Feb 2014 11:56:39 GMT

Could you please point me to the misconfiguration & how to resolve it?

Is the above setup supported?

Re: ASA Transparent Mode Deployment Issue

Marius Gunnerud — Thu, 06 Feb 2014 12:03:18 GMT

Well you have it set to fail-open so it is a little strange that it is not allowing traffic through. You could post the IPS config here and we can have a look and see if we can spot anything out of the ordinary. Otherwise, you might also want to post a question in the IPS/IDS section of the support forum.

--
Please remember to rate and select a correct answer

Re: ASA Transparent Mode Deployment Issue

avilt — Thu, 06 Feb 2014 12:23:50 GMT

IPS was set to fail open. I have tried this setup without any vlans and it seems to be working.

I strongly suspect multiple vlan in trnasparant mode will not work as ASA can not inspect vlan tagged packets. Correct me if I am wrong.

Re: ASA Transparent Mode Deployment Issue

Marius Gunnerud — Thu, 06 Feb 2014 12:44:36 GMT

Ok after a little research I think I have found a solution for you ( I am leaving out the policy map configs):

firewall transparent

hostname ASA-IPS

interface GigabitEthernet0/0.20

vlan 20

nameif Outside2

bridge-group 2

security-level 0

interface GigabitEthernet0/0.10

vlan 10

nameif Outside1

bridge-group 1

security-level 0

interface GigabitEthernet0/1.22

vlan 22

nameif Inside2

bridge-group 2

security-level 100

interface GigabitEthernet0/1.11

vlan 11

nameif Inside1

bridge-group 1

security-level 100

interface BVI1

ip address 10.10.10.10 255.255.255.0

interface BVI2

ip address 10.10.20.10 255.255.255.0

access-list inside_acl extended permit ip any any

access-list outside_acl extended permit ip any any

access-group outside_acl in interface Outside1

access-group inside_acl in interface Inside1

access-group outside_acl in interface Outside2

access-group inside_acl in interface Inside2

Also make sure that you amend the VLANs on the switch to correspond to the VLANs on the Transparent ASA.

--
Please remember to rate and select a correct answer

Re: ASA Transparent Mode Deployment Issue

avilt — Thu, 06 Feb 2014 13:17:31 GMT

Thanks, I have tried this but not working.

But it means I need to create as many vlans & BVI's on ASA that exist in between?

Re: ASA Transparent Mode Deployment Issue

Marius Gunnerud — Thu, 06 Feb 2014 13:41:49 GMT

But it means I need to create as many vlans & BVI's on ASA that exist in between?

From my understanding, yes.

--
Please remember to rate and select a correct answer

Re: ASA Transparent Mode Deployment Issue

avilt — Sun, 09 Feb 2014 07:57:33 GMT

For me this looks more like a context based firewall. Which BVI IP will be used as ASA source IP? Is it recommended for production environment?

Re: ASA Transparent Mode Deployment Issue

Marius Gunnerud — Sun, 09 Feb 2014 10:39:12 GMT

Yes, it does look much like a context firewall type config. But the config is limited to the number of bridge groups you are able to configure in single mode (this is limited to 8 BVIs). So this solution is not scalable.

Which BVI IP will be used as ASA source IP?

Each subnet requires that a BVI is configured with an IP within that subnet, otherwise traffic will be dropped. The source IP will be the BVI that is configured for that specific bridge group. So if you are sending logs to a syslog server out an interface that is in bridge group 1, then the IP of BVI 1 is the source IP.

 Is it recommended for production environment?

Although I know it is possible to configure the transparent firewall in such a way, I have never seen such a configuration in real life, nor have I ever set it ip in a prod environment. I believe I have never seen it because it is not a scalable solution and will only allow up to 8 VLANs to pass through the tranparent ASA.

I have not been able to find any documentation that says that Cisco will support such a configuration, nor have I found documentation say they will not support it. So implement this solution at your own risk

--
Please remember to rate and select a correct answer