topic Re: Transparent Firewall with BVI in Network Security

Transparent Firewall with BVI

necxzcisco — Tue, 12 Mar 2019 00:35:50 GMT

Hi! I have a question regarding transparent firewalls using BVIs.

Based from the diagram above, ASA1 is in Transparent mode.

Port Gi0 is assigned BVI-1 and port Gi1 is assigned BVI-2.

Is it possible for network 1 to communicate with network 2 ?

The traffic will be passing through Firewall towards the router, The router will do the routing and then forward it back to the firewall then towards network 2?

I am thinking of making port Gi2 of the firewall a trunk and use subinterfaces in order to forward BVI headers to the router.

Re: Transparent Firewall with BVI

Mariusz Bochen — Tue, 11 Dec 2012 14:55:45 GMT

Hi Franzis,

In transparent mode you can use only two interfaces which have to be on the same subnet:

- The transparent security appliance uses an inside interface and an outside interface only. If your platform includes a dedicated management interface, you can also configure the management interface or subinterface for management traffic only.

In single mode, you can only use two data interfaces (and the dedicated management interface, if available) even if your security appliance includes more than two interfaces.

- Each directly connected network must be on the same subnet.

Source link:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008089f467.shtml

Regards

Mariusz

Re: Transparent Firewall with BVI

Julio Carvajal — Wed, 12 Dec 2012 00:46:41 GMT

Hello Franzis and Mariusz,

Mariusz that is true but on the newer versions it is possible to split the ASA into different BVIs groups so you can use more than one interface.

http://ciscoasafirewall.blogspot.com/2011/06/cisco-asa-firewall-in-transparent.html

Now how to make that happen Franzis, the outside router will need to perform the routing for you, so traffic must exit the ASA go to an outside layer 3 device and go back to the different brdige group

Regards

Julio

Re: Transparent Firewall with BVI

necxzcisco — Wed, 12 Dec 2012 08:49:50 GMT

@jcarvaja

Yes, thank you sir for the reply I have also read that one. That ASA 8.4 and above allows us to use BVI upto 8 I think.

I will be connecting a router to port 4 of the firewall.

My question now is what do I configure in the port Gi2 of the firewall and the port of the router?

I tried creating sub interfaces in firewall's Gi2 port.

interface Gi2.10

Bridge-group 1

vlan 1

interface Gi2.20

Bridge-group 2

vlan 2

is it correct? What do I do with the router's config?

Re: Transparent Firewall with BVI

Julio Carvajal — Wed, 12 Dec 2012 14:15:03 GMT

Hello,

Okay, Why dont you use a dedicated interface for each bridge group.

And then on the router use 2 interfaces as well and configure it to route to each subnet pointing to the ASA as you were do regularly,

Try that and keep me posted

Re: Transparent Firewall with BVI

necxzcisco — Thu, 13 Dec 2012 01:11:50 GMT

Okay, I will try it now but I need 3 ports for my Inside and one for the out.

I'll setup my lab again and keep you posted.

Re: Transparent Firewall with BVI

Julio Carvajal — Thu, 13 Dec 2012 01:14:14 GMT

Hello,

Great, let us know the result