ASA 5512-x in single transparent mode

vaneetsingla · ‎03-05-2014

Hi

I have a unique issue when trying to setup our new 5512-x firewall in single transparent mode. I'm new to ASA world and would appreciate if someone can help me out.

I would like to give a bit of background here.

I work in a university and we have different IT pockets along with central IT. I'm an IT person in one of the pockets and we have our own server closet with vm hosts and some servers. All our hosts and other network resources are connected to a 2960 switch on our end which is etherchanneled (2 uplinks) to another 2960 switch on central IT end (which I can't control). The central IT switch after all the hoops connects to the edge router for internet access. Here comes the crazy part: In university all IP addresses assigned to each and every resource (servers and clients) are STATIC PUBLIC IPs. We don't use any DHCP or private IP addressing. Within the university all departments and faculties could access each and every resource given they have permission to access that resource. (file server, databases etc). The idea is to block free access and just allow the users that should have access to our resources.

Now the question. Sorry for the length background.

Our server closet is on x.x.198.x subnet. That is where my side of 2960 switch and central IT switch is connected. I want to (if possible) put our 5512-x switch between the two switches and enable the etherchannel on the ASA so that it can let the traffic through with 2GB uplink. Currently, I have setup the ASA in single transparent mode with management IP x.x.198.x subnet. I created a bridge group and tried to give it a x.x.198.x IP but it spit an error about "can't overlap the IPs on same subnet". Since we don't use any private addressing and there is no outside interface (traffic from our area feeds to central IT switches), I'm not sure how to setup a global IP address for inside and outside interface. We have users in 4 different subnets that I want to provide access to our resources located in x.x.198.x. while blocking the rest as well as setting ACL's for our users as well.

Please let me know if you have any questions. I really hope to find some answers.

Thank you so much.

Cheers,

Vaneet

Julio Carvajal · ‎03-06-2014

Hello Vaneet,

For each subnet you want to play with you would need a dedicated Bridge Group. That specific Bridge Group will be composed of two layer 2 interfaces having a global management IP address on the ASA Firewall.

Does it makes sense?

Regarding the error,

Can you show us the entire configuration you are entering and after what the error appears.

Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

vaneetsingla · ‎03-06-2014

Thanks Julio for the prompt reply!!

So the ASA has 6 physical interfaces and I need to manage 5 different subnets( all public IPs), how would i go about assigning two layer 2 interfaces per subnet/bridge group. WIll I be creating subinterfaces per physical interface? Also, do I need management interface per subnet as well or not. How can I get the etherchannel to work in this scenario?

I haven't made many changes but here is the running config of ASA:

: Saved

:

ASA Version 9.1(4)

!

firewall transparent

hostname SATT-FW-ASA

domain-name xxxxxxxxx.xxxxxxxxxx.ca

enable password MSSfG8UVVdoUUa5Q encrypted

passwd MSSfG8UVVdoUUa5Q encrypted

names

!

interface GigabitEthernet0/0

nameif Inside

security-level 100

!

interface GigabitEthernet0/1

nameif Inside1

security-level 100

!

interface GigabitEthernet0/2

nameif Outside

security-level 20

!

interface GigabitEthernet0/3

nameif Outside2

interface GigabitEthernet0/3

nameif Outside2

security-level 20

!

interface GigabitEthernet0/4

shutdown

no nameif

no security-level

!

interface GigabitEthernet0/5

shutdown

no nameif

no security-level

!

interface Management0/0

management-only

nameif Management

security-level 100

ip address x.x.198.151 255.255.255.0

!

interface BVI1

no ip address

!

boot system disk0:/asa914-smp-k8.bin

boot system disk0:/asa912-smp-k8.bin

boot system disk0:/asa911-smp-k8.bin

ftp mode passive

clock timezone EST -5

clock summer-time EDT recurring

dns domain-lookup Management

dns server-group DefaultDNS

name-server x.x.128.1

name-server x.x.64.1

domain-name xxxxxxxxx.xxxxxxxxxxx.ca

pager lines 24

mtu Inside 1500

mtu Management 1500

mtu Inside1 1500

mtu Outside 1500

mtu Outside2 1500

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-715-100.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

http server enable

http 130.113.137.0 255.255.255.0 Management

http 130.113.198.0 255.255.255.0 Management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh x.x.137.0 255.255.255.0 Management

ssh timeout 5

ssh version 2

ssh key-exchange group dh-group1-sha1

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

ssl encryption aes128-sha1 3des-sha1

username xxxxxxx password xxxxxxxxx encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:666a055d0c28295116cc0b07a66accd7

: end

I just enabled the 4 physical interfaces (g0-g3) but they are not physically connected.

So I was trying to assign the first bridge group x.x.198.x IP address and thats when it gave me the following error:

The Ip address x.x.198.153 255.255.255.0 cannot overlap with the subnet of interface management.

But all of our resources are on x.x.198.x subnet so I need to manage it as well.

I'm sorry if I'm not explaining myself properly. Please let me know if you need more info.

Thanks a lot for helping me out.

Cheers,

Vaneet

vaneetsingla · ‎03-06-2014

Hi Julio

Do I have to create a bridge group for each network/subnet that I need to manage? If I have to create a bridge group for each subnet (in total 5 subnets), how can I define an inside and outside interface for each subnet? Do I have to create logical interfaces for each physical interface per subnet? Do I need to create a logical management interfaces per bridge group/subnet?

Also, how can I connect the ASA between two switch that are etherchanneled? Do I have to create an etherchannel on the inside interface of ASA for internal switch (x.x.198.x) and an etherchannel on outside interface for our Central IT switch (x.x.198.x)?

Also, Since I'm not able to assign another x.x.198.x IP address on global configuration because I'm using x.x.198.151 for management port, do i need to remove the IP from management port and manage the ASA through the data ports?

Please help!!

Cheers,

Vaneet