Solved: Re: Asa 5525 v9.5(2): add transparent security context

yosoypako · ‎12-11-2018

Hello.

We have now two asa 5525 in a ha active/pasive cluster. We are using 2 gigabit interfaces forming an etherchannel for the data traffic, 1 interface for the failover traffic and the management 0/0 interface for the firewall management. Now we have 4 different security context, all of them in routed mode. We have the etherchannel interface configured as a trunk and we use subinterfaces with vlan tagging for each security context. For example:

context Context-1
member default
allocate-interface Port-channel1.200 visible
allocate-interface Port-channel1.210 visible

Now we want to add a new security context in transparent mode. I have been reading different documents and I have still some doubts.

-Can I create new subinterfaces, in different vlans taht the ones that I am using in the other security contexts and allocate them to the new security context. For example:

context Context-Transparent
member default
allocate-interface Port-channel1.300 visible
allocate-interface Port-channel1.310 visible

Or do I have to use a completely different physical interfaces.

-The etherchannel port members are connected to a pair of nexus switches, using a VPC. The management 0/0 interface is connected to a OOB network in a different physical switch. Do I need to create a new management interface for this security context? Could it be a sub-interface in the etherchannel or does it have to be a different physical interface?

-I am managing this firewall using ssh through the management 0/0 interface. When I change the firewall mode for the new security context would I lost the management connection?

Thanks for your help.

Sheraz.Salim · ‎12-12-2018

1. if mgmt interface (no configured/not exist/note in use) than use BVI interface ip address for mgmt purpose in this case the route will be

route inside 0.0.0.0 0.0.0.0 next-hop-router-address

2. if using mgmt interface the default gw is the router that resides toward the management interface.

route mgmt 0 0 next-hop-router-address

3. In case of management interface is configured and so the BVI interface also configured. as example: then the managment interface will be use for mgmt purpose.

firewall transparent

!

interface man0/0

nameif management

security-level 100

ip address 10.122.109.101 255.255.255.0

no shut

!

route management 0.0.0.0 0.0.0.0 10.122.109.1

http server enable

http 10.122.109.0 255.255.255.0 management

!

interface gig0/0

nameif inside

bridge-group 1

!

interface gig0/1

nameif outside

bridge-group 1

!

interface BVI1

ip address 10.10.1.10 255.255.255.0

!

please do not forget to rate.

View solution in original post

Sheraz.Salim · ‎01-16-2019

I had a thought of it. say system context you define the port/port-channel.

system

!

interface gig0/1

no nameif

no sec

no ip address

channel-group 2 mode active

no shut

!

interface gig0/2

no nameif

no sec

no ip address

channel-group 2 mode active

no shut

!

interface port-channel2

!

interface port-channel2.300

vlan 300

!

interface port-channel2.400

vlan 400

!

context c1

!

allocate-interface port-channel2.300 inside_c1

allocate-interface port-channel2.400 outside_c1

config-url disk0:/c1.cfg

!

changeto context c1

!

transparent

!

interface inside_c1

nameif inside

bridge-group 1

sec-level 100

!

interface outside_c1

nameif inside

bridge-group 1

sec-level 0

!

interface bvi1

ip address x.x.x.x. x.x.x.x.

please do not forget to rate.

View solution in original post

Sheraz.Salim · ‎12-11-2018

for this

context Context-Transparent
member default
allocate-interface Port-channel1.300 visible
allocate-interface Port-channel1.310 visible

yes you can do it. but make sure you have the vlan 300 and 310 trunk coming from switch to firewall. i think for good practice make it separate bundle would be easy in case doing troubleshoot. routed and transport separate.

in regards to the management interface, why dont you create a admin-context and allocate the managment interface to it. would be easy for you to manage the remaining context.

let see what other say on this.

please do not forget to rate.

yosoypako · ‎12-12-2018

Hello.

Thanks for your help. We are already using an management context in wich we have the interface management0/0 for all the security context. My question about the management interface is related to how the asa discovers the mac-address for the next hop in transparent mode, I have been reading this thread: https://community.cisco.com/t5/firewalls/cisco-asa-in-transparent-mode-management/td-p/1498620

And I do not know if I do have to create another L3 management interface only for this security context.

Regards.

Sheraz.Salim · ‎12-12-2018

1. if mgmt interface (no configured/not exist/note in use) than use BVI interface ip address for mgmt purpose in this case the route will be

route inside 0.0.0.0 0.0.0.0 next-hop-router-address

2. if using mgmt interface the default gw is the router that resides toward the management interface.

route mgmt 0 0 next-hop-router-address

3. In case of management interface is configured and so the BVI interface also configured. as example: then the managment interface will be use for mgmt purpose.

firewall transparent

!

interface man0/0

nameif management

security-level 100

ip address 10.122.109.101 255.255.255.0

no shut

!

route management 0.0.0.0 0.0.0.0 10.122.109.1

http server enable

http 10.122.109.0 255.255.255.0 management

!

interface gig0/0

nameif inside

bridge-group 1

!

interface gig0/1

nameif outside

bridge-group 1

!

interface BVI1

ip address 10.10.1.10 255.255.255.0

!

please do not forget to rate.

yosoypako · ‎01-16-2019

Hello

Another question, Can two sub-interfaces from the same transparent security context be part of a bridge-group?

In this case interface Port-channel2.300 and interface Port-channel2.300

I have seen in the docs from cisco that you can use physical.subinterfaces but not if you can use etherchannel subinterfaces

Thanks for your help.

Sheraz.Salim · ‎01-16-2019

to be honest i never tried it. but i do not think this is possible. might i am wrong here.

please do not forget to rate.

yosoypako · ‎01-16-2019

Sorry,

A typo, i meant interface port-channel2.300 and interface port-channel2.400. The external would be the interface port-channel2.300 and the internal the port-channel2.400.

regards

Sheraz.Salim · ‎01-16-2019

I had a thought of it. say system context you define the port/port-channel.

system

!

interface gig0/1

no nameif

no sec

no ip address

channel-group 2 mode active

no shut

!

interface gig0/2

no nameif

no sec

no ip address

channel-group 2 mode active

no shut

!

interface port-channel2

!

interface port-channel2.300

vlan 300

!

interface port-channel2.400

vlan 400

!

context c1

!

allocate-interface port-channel2.300 inside_c1

allocate-interface port-channel2.400 outside_c1

config-url disk0:/c1.cfg

!

changeto context c1

!

transparent

!

interface inside_c1

nameif inside

bridge-group 1

sec-level 100

!

interface outside_c1

nameif inside

bridge-group 1

sec-level 0

!

interface bvi1

ip address x.x.x.x. x.x.x.x.

please do not forget to rate.