ASA Firewall positioning in Transparent Mode between 6509 Core switch & WLC

acharyr123 · ‎04-27-2011

Hi,

I do have the below setup,,

1. I have 6509 switch

2. I have 2 WLC configured in Active/Active mode connected in Trunk mode (L2 Port-Channel) connected with 6509 switch

3. On switch side i have configured the port as Trunk

4. L3 SVI for wireless users are created in 6509 switch (attached the diagram).

I would like to introduce a Cisco ASA 5520 firewall with AIp-SSM module so that all wirelees traffic can be inspected.

The issue is: Without changing any configuration in the network (switch & WLC) is it possible to introduce the firewall? Kindly suggest.

Rgds,

Partha

Maykol Rojas · ‎04-27-2011

Hi!

I would say, it is not possible. At least you will need to configure 2 Vlans, One for the inside and one for the outside. The idea of transparent firewall is just not to change the IP scheme, however, there are some changes that need to be done in order for the firewall to inspect the traffic, please see :

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008089f467.shtml

If you just plug one cable to the WLC and the other to the switch, the traffic would pass freely between the WLC and the switch. The idea is the ASA to pick up the requests and forward them to the other vlan...

Cheers.

Mike

acharyr123 · ‎05-01-2011

Hi Mike,

I have done the setup as per Cisco documentation. All the sub-interfaces are up & running. But, sitting inside (on Core switch) I am not able to ping WLC IP, however I can see that traffic is hitting the ASA corresponding sub-interface...I am unable to see ARP...any cluse?? Attached the sameple n/w diagram & configuration.

Regards,

Partha