cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

Welcome to Cisco Firewalls Community


174
Views
0
Helpful
3
Replies
Highlighted
Cisco Employee

ASA in One-Armed Transparent Mode

Can an ASA running later code (ex: 9.6) support running in one-armed transparent mode? Assuming 2 interfaces in a BVI and both physically connecting to the same upstream/downstream switch. This would require the ASA to stitch 2 different vlans on the upstream switch together while they are in the same subnet and BVI on the ASA.

3 REPLIES 3
VIP Mentor

Re: ASA in One-Armed Transparent Mode

I have done that some time ago with my home-office ASA to separate the various DMZs (IoT stuff and such) from the rest of the network. Yes, that works.

Cisco Employee

Re: ASA in One-Armed Transparent Mode

I forgot to add that there would be 2 physical interfaces connecting the switch to the ASA transparent fw. Both physical ports will be trunks with multiple vlans. Each physical link will have multiple vlans each tied to a different BVI on the ASA. For example we may have vlan 10 on physical port 1 mapped to BVI 1. On physical port 2 we may have vlan 110 also mapped to BVI 1.  The traffic would flow through the ASA between vlan 10 and vlan 110. This means that there will be different vlan tags for the BVI 1 traffic on physical port 1 and physical port 2. I'm hoping this doesn't confuse the ASA. This would be similar to what you do with IPS inline vlan pairs.  

 

Would this be supported?

VIP Mentor

Re: ASA in One-Armed Transparent Mode

I don't remember exactly as this setup is not in place any more. But I had multiple DMZs, so it probably was exactly what you describe.