cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1895
Views
5
Helpful
7
Replies

Asa 5525 v9.5(2): add transparent security context

yosoypako
Level 1
Level 1

Hello.

We have now two asa 5525 in a ha active/pasive cluster. We are using 2 gigabit interfaces forming an etherchannel for the data traffic, 1 interface for the failover traffic and the management 0/0 interface for the firewall management. Now we have 4 different security context, all of them in routed mode. We have the etherchannel interface configured as a trunk and we use subinterfaces with vlan tagging for each security context. For example:

context Context-1
member default
allocate-interface Port-channel1.200 visible
allocate-interface Port-channel1.210 visible

 

Now we want to add a new security context in transparent mode. I have been reading different documents and I have still some doubts.

-Can I create new subinterfaces, in different vlans taht the ones that I am using in the other security contexts  and allocate them to the new security context. For example:

context Context-Transparent
member default
allocate-interface Port-channel1.300 visible
allocate-interface Port-channel1.310 visible

Or do I have to use a completely different physical interfaces.

-The etherchannel port members are connected to a pair of nexus switches, using a VPC. The management 0/0 interface is connected to a OOB network in a different physical switch. Do I need to create a new management interface for this security context? Could it be a sub-interface in the etherchannel or does it have to be a different physical interface? 

-I am managing this firewall using ssh through the management 0/0 interface. When I change the firewall mode for the new security context would I lost the management connection?

 

Thanks for your help.

2 Accepted Solutions

Accepted Solutions

1. if mgmt interface (no configured/not exist/note in use) than use BVI interface ip address for mgmt purpose in this case the route will be
                    route inside 0.0.0.0 0.0.0.0 next-hop-router-address
 
 
2. if using mgmt interface the default gw is the router that resides toward the management interface.
 
                route mgmt 0 0 next-hop-router-address
3. In case of management interface is configured and so the BVI interface also configured. as example: then the managment interface will be use for mgmt purpose.
  
 
firewall transparent
!
interface man0/0
  nameif management
  security-level 100
  ip address 10.122.109.101 255.255.255.0
  no shut
!
route management 0.0.0.0 0.0.0.0 10.122.109.1
http server enable
http 10.122.109.0 255.255.255.0 management
!
interface gig0/0
  nameif inside
  bridge-group 1
!
interface gig0/1
  nameif outside
  bridge-group 1
!
interface BVI1
 ip address 10.10.1.10 255.255.255.0
!
 
please do not forget to rate.

View solution in original post

I had a thought of it. say system context you define the port/port-channel.

 

system

!

interface gig0/1

 no nameif

 no sec

 no ip address

 channel-group 2 mode active

 no shut

!

interface gig0/2

 no nameif

 no sec

 no ip address

 channel-group 2 mode active

 no shut

!

interface port-channel2

!

interface port-channel2.300

 vlan 300

!

interface port-channel2.400

 vlan 400

!

context c1

!

allocate-interface port-channel2.300 inside_c1

allocate-interface port-channel2.400 outside_c1

config-url disk0:/c1.cfg

!

changeto context c1

!

transparent

!

interface inside_c1

 nameif inside

 bridge-group 1

 sec-level 100

!

interface outside_c1

 nameif inside

 bridge-group 1

 sec-level 0

!

interface bvi1

 ip address x.x.x.x. x.x.x.x.

please do not forget to rate.

View solution in original post

7 Replies 7

for this

 

context Context-Transparent
member default
allocate-interface Port-channel1.300 visible
allocate-interface Port-channel1.310 visible

 

 

yes you can do it. but make sure you have the vlan 300 and 310 trunk coming from switch to firewall. i think for good practice make it separate bundle would be easy in case doing troubleshoot. routed and transport separate.

 

 

in regards to the management interface, why dont you create a admin-context and allocate the managment interface to it. would be easy for you to manage the remaining context.

 

let see what other say on this.

 

please do not forget to rate.

Hello.

 

Thanks for your help. We are already using an management context in wich we have the interface management0/0 for all the security context. My question about the management interface is related to how the asa discovers the mac-address for the next hop in transparent mode, I have been reading this thread:  https://community.cisco.com/t5/firewalls/cisco-asa-in-transparent-mode-management/td-p/1498620

And I do not know if I do have to create another L3 management interface only for this security context.

 

Regards.

1. if mgmt interface (no configured/not exist/note in use) than use BVI interface ip address for mgmt purpose in this case the route will be
                    route inside 0.0.0.0 0.0.0.0 next-hop-router-address
 
 
2. if using mgmt interface the default gw is the router that resides toward the management interface.
 
                route mgmt 0 0 next-hop-router-address
3. In case of management interface is configured and so the BVI interface also configured. as example: then the managment interface will be use for mgmt purpose.
  
 
firewall transparent
!
interface man0/0
  nameif management
  security-level 100
  ip address 10.122.109.101 255.255.255.0
  no shut
!
route management 0.0.0.0 0.0.0.0 10.122.109.1
http server enable
http 10.122.109.0 255.255.255.0 management
!
interface gig0/0
  nameif inside
  bridge-group 1
!
interface gig0/1
  nameif outside
  bridge-group 1
!
interface BVI1
 ip address 10.10.1.10 255.255.255.0
!
 
please do not forget to rate.

Hello

 

Another question, Can two sub-interfaces from the same transparent security context be part of a bridge-group? 

In this case interface Port-channel2.300 and interface Port-channel2.300

I have seen in the docs from cisco that you can use physical.subinterfaces but not if you can use etherchannel subinterfaces

Thanks for your help.

to be honest i never tried it. but i do not think this is possible. might i am wrong here.

please do not forget to rate.

Sorry, 

A typo, i meant interface port-channel2.300 and interface port-channel2.400. The external would be the interface port-channel2.300 and the internal the port-channel2.400.

 

regards

I had a thought of it. say system context you define the port/port-channel.

 

system

!

interface gig0/1

 no nameif

 no sec

 no ip address

 channel-group 2 mode active

 no shut

!

interface gig0/2

 no nameif

 no sec

 no ip address

 channel-group 2 mode active

 no shut

!

interface port-channel2

!

interface port-channel2.300

 vlan 300

!

interface port-channel2.400

 vlan 400

!

context c1

!

allocate-interface port-channel2.300 inside_c1

allocate-interface port-channel2.400 outside_c1

config-url disk0:/c1.cfg

!

changeto context c1

!

transparent

!

interface inside_c1

 nameif inside

 bridge-group 1

 sec-level 100

!

interface outside_c1

 nameif inside

 bridge-group 1

 sec-level 0

!

interface bvi1

 ip address x.x.x.x. x.x.x.x.

please do not forget to rate.
Review Cisco Networking for a $25 gift card