Solved: ASA-5505 Transparent mode

NedOps · ‎09-09-2018

I have the need to harden 3 legacy servers and the ASA-5505 was picked for the solution. I want to start by allowing traffic pass and then add ACL's to gradually increase the security. The ASA will be in the middle of the network, that is why I like transparent mode. looking at he notes my issue may be that 1 of the 3 servers is on a different subnet. I have set up a basic configuration of the outside interface being 0, and inside at 100.

Since transparent is like a bump on the wire will both subnets still pass through the ASA ?

Francesco Molino · ‎09-09-2018

Hi

Yes you can have multiple vlans in transparent mode. Multiple means 8 max as you can have a max of 8 bridge groups.
Let's say in interface g0/1 is your inside and have created vlans 10,20,30 and on g0/2 (outside interface) you create vlan 11,21,31. Then you can create 3 BVI to bridge vlan 10 and 11, an another bridging vlan 20 and 21, and the last bridging vlan 30 and 31.

I hope this was the sense of your question.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

View solution in original post

Mohammed al Baqari · ‎09-10-2018

Yes it will get out as long as the rules allow

View solution in original post

Ajay Saini · ‎09-09-2018

Hello,

ASA supports only traffic for one subnet and this subnet is the same as defined for the management interface subnet. You can create bridge group for each subnet you have defined, more info in the link:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/interface_complete_transparent.pdf

HTH
AJ

Francesco Molino · ‎09-09-2018

Hi

Yes you can have multiple vlans in transparent mode. Multiple means 8 max as you can have a max of 8 bridge groups.
Let's say in interface g0/1 is your inside and have created vlans 10,20,30 and on g0/2 (outside interface) you create vlan 11,21,31. Then you can create 3 BVI to bridge vlan 10 and 11, an another bridging vlan 20 and 21, and the last bridging vlan 30 and 31.

I hope this was the sense of your question.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question

Mohammed al Baqari · ‎09-10-2018

One point to add, the servers in different bridge groups won't communicate
to each other within ASA. The traffic has to exist to the gateway and
reroute back to ASA for destination vlan (U-Turn from the gateway)

NedOps · ‎09-10-2018

That is a great point. The 3 servers are isolated, so I don't want them to have access to each other anyway. I just wondered if the BVI's would just send them out the gateway as the last hop does now. The firewall is being added to an existing working solution, we just want to limit the traffic in/out. I tried packet tracer to troubleshoot this but the firmware (even the latest) doesn't support BVI.

I don't have enough hardware to sandbox this, and don't want to try it in production. The one server that has a different subnet gets out now, but will it in transparent mode ?

Thanks for the look.

Mohammed al Baqari · ‎09-10-2018

Yes it will get out as long as the rules allow

Francesco Molino · ‎09-10-2018

@Mohammed already replied. The answer is yes.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question