Re: ASA in One-Armed Transparent Mode

pacavell · ‎08-13-2019

Can an ASA running later code (ex: 9.6) support running in one-armed transparent mode? Assuming 2 interfaces in a BVI and both physically connecting to the same upstream/downstream switch. This would require the ASA to stitch 2 different vlans on the upstream switch together while they are in the same subnet and BVI on the ASA.

Karsten Iwen · ‎08-13-2019

I have done that some time ago with my home-office ASA to separate the various DMZs (IoT stuff and such) from the rest of the network. Yes, that works.

pacavell · ‎08-13-2019

I forgot to add that there would be 2 physical interfaces connecting the switch to the ASA transparent fw. Both physical ports will be trunks with multiple vlans. Each physical link will have multiple vlans each tied to a different BVI on the ASA. For example we may have vlan 10 on physical port 1 mapped to BVI 1. On physical port 2 we may have vlan 110 also mapped to BVI 1. The traffic would flow through the ASA between vlan 10 and vlan 110. This means that there will be different vlan tags for the BVI 1 traffic on physical port 1 and physical port 2. I'm hoping this doesn't confuse the ASA. This would be similar to what you do with IPS inline vlan pairs.

Would this be supported?

Karsten Iwen · ‎08-13-2019

I don't remember exactly as this setup is not in place any more. But I had multiple DMZs, so it probably was exactly what you describe.