Solved: Re: ASA config help

Antony_85 · ‎08-01-2021

Hi guys, I was wondering if I could get some assistance from one of the gurus here. I have switch config knowledge but not much ASA config experience. The scenario is as follows (diagram attached)

Plant Switch: I don't have access to it. It's managed by the corporate network team. They will configure VLAN20 with a tagged port.

ASA-5508-X: this is a test ASA not in the production network. Need to put this in TRANSPARENT mode and have ASDM access to it (GUI access). I have put the ASA into transparent but once I do I lose access to ASDM. I set it to factory settings and haven't done any changes yet (have ASDM access back).

2960-CX Test Switch: added VLAN20; ports are configured as ACCESS

Basically need to transfer VLAN 20 traffic through the firewall with no filtering.

balaji.bandi · ‎08-03-2021

If you want to extend the VLAN that is fine, You can use FW as Transparent, but i see some difference in IP address range, or do you have same IP range Layer 2 available on the same switch ?

Goog example :

https://www.networkstraining.com/cisco-asa-firewall-in-transparent-layer2-mode/

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

Rob Ingram · ‎08-02-2021

@Antony_85

Once you put the ASA in transparent mode it will reset the configuration (that is to be expected). You will need direct access to the ASA to configure the bridge group, BVI, ACL and ip address (for mgmt). The plant switch's interface will need to be an access interface, in vlan 20.

balaji.bandi · ‎08-02-2021

Basically need to transfer VLAN 20 traffic through the firewall with no filtering.

Quick question before we can suggest something ? why do you need Transparent FW, if you do not required FW here ?

you can extend the VLAN to other switch using Trunk right ? what is the challenges here ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Antony_85 · ‎08-02-2021

Hi Balaji,

Thank you for your response. The plant engineers want a firewall in between the cooperate network and the manufacturing network (2 separate subnets). Some of the PCs connected to VLAN 20 needs access to the cooperate network and some don’t. It will mainly sit as an intrusion detection device.

balaji.bandi · ‎08-03-2021

If you want to extend the VLAN that is fine, You can use FW as Transparent, but i see some difference in IP address range, or do you have same IP range Layer 2 available on the same switch ?

Goog example :

https://www.networkstraining.com/cisco-asa-firewall-in-transparent-layer2-mode/

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Antony_85 · ‎08-03-2021

Hi Balaji,

Thank you for your response. This example is exactly the setup I need. I realize (Rob pointed out) that I made a mistake in my diagram. all 3 devices will be in the same subnet (just like in the example). I managed to get the INSIDE interface working with VLAN20 just waiting for the network team to do their part to test further. Thank you again for the help.

balaji.bandi · ‎08-04-2021

No worried please keep posted the outcome ..happy to help where we can ?

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Antony_85 · ‎08-04-2021

Thanks, mate,

The network team informed me they configured an Access port so I should be able to test the outcome today. I'll keep you guys posted

Antony_85 · ‎08-02-2021

Hi Rob,

Thank you for the response. Could you review if I got the following right? Ones I put the ASA in transparent mode I need to execute !

Switch to transparent mode enable ASDM

Config-T

Firewall Transparent

Interface bvi-1

Ip address 10.29.96.2 255.255.255.0

http server enable

http 0.0.0.0 0.0.0.0 inside

Setting passive mode

Int e0/0

Switchport access vlan 1

No shutdown

Int e0/1

Switchport access vlan 20

No shutdown

Interface vlan 1

Nameif outside

Bridge-group 1

Interface vlan 20

Nameif inside

Bridge-group 1

Rob Ingram · ‎08-03-2021

@Antony_85

If you are using the FW in transparent mode, the 3 devices will need to be in the same network (10.29.96.x), the plant switch in your diagram does not appear to be. You'll also need to consider ACLs.

Antony_85 · ‎08-03-2021

Hi Rob,

I just realize I made a mistake in the diagram. All 3 devices will be in the same subnet. I got the INSIDE working with VALN20 in transparent mode just waiting for the network team to do their part to test further.

I had to assign 192.168.1.1 to the Management interface (for ASDM access) because it wouldn't assign a 10.29.96.X IP address to it. Many thanks for the help.

Antony_85 · ‎08-04-2021

Hay guys,

So it worked. Attached below is my config. Thanks, heaps for all the advice and help. The only issue was I couldn't assign 10.29.96.X to the management interface of the ASA. So had to assign a different subnet but enable ASDM access to INSIDE interface so that works over the network.

Best regards.

balaji.bandi · ‎08-05-2021

Good to know, thank you for the feedback. !

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help