Thanks Franc, yup my bad thanks for noticing the mistakenly drawn arrow.

Let me know if the physical connection between firewall and Core remains the same if run the ASA in transparent mode.

It'd be great if you can share some sample configs I'm new to this scenario.

BTW does the transparent mode put extra load on the firewalls? OR it's less CPU sensitive than my idea of configuring SVIs on ASA?

Kind Regards,

Umer

Transparent mode won't add any extra load and can consume less as it won't do any routing stuff. However, in your case, the CPU consumption will be quite the same. It depends on the traffic the ASA needs to handle.

In terms of config (a quick example for interface configs, rest of configs like rules are same as routed mode):

interface gigabitethernet 0/0
nameif inside
security-level 100
bridge-group 1
!
interface gigabitethernet 0/1
nameif outside
security-level 0
bridge-group 1
!
interface bvi 1
ip address x.x.x.x 255.255.255.0 --> Ip in the same vlan 30. You can access asa through that IP. Bridge groups are used to allow multiple vlan used without adding security context (this is a quick and dirty explanation, here a doc where you can found more detailed information: https://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/general/asa-general-cli/interface-transparent.html)

In terms of physical and logical connection.

Your ASA has 2 interfaces, 1 called inside and 1 called outside. You will use 2 vlans (inside and outside) but keep the same L3 (SVI 30)

outside will be the interface facing the SVI (vlan 30), the inside will be connected to your switch using vlan YY. All your servers will be tagged (if ESX) or untagged (if Physical for example) to this new vlan YY.

A good drawing has been made on Cisco Learning, I'll drop you the link then you can have a better understanding: https://learningnetwork.cisco.com/thread/108406

Is that clear?

Thanks Bro, it really helps.

I'm gonna make the configs will share with you, shortly.

In your first comment you mentioned in my setup I do not need only an SVI but another type of connection between Core and ASA for routing. Please let me know what other connection I can make between them.

In that case can I use static routes from Core to ASA and from ASA to Core.

Let's say I keep the SVI of vlan 30 on Core itself (instead of FW) and create subinterface on the Firewall, then connect them both via a 802.1Q trunk.  Will that be okay I never tried just guessing as an idea.

But if my idea is okay then what would be the security configuration to protect the critical vlans from unsecure access of internal users. I just need the basic sample config which at least gives me right direction.

Your comments really helped me understanding the firewalling between my different user segments.

Thanks a lot!!!

Got you!

But using the routed mode what will be the security configs simple ACLs? or something else to ensure the secure access between critical and non-critical vlans.