04-12-2015 01:30 PM - edited 03-11-2019 10:45 PM
Hi Guys,
As i can see, Cisco is recommending for the ASAs to be in transparent mode in data centers, my question, why not routed mode?
How to decide? what is the problem in having the routing on ASA?
I know that transparent mode is easier to place, but in my case it is new design and i want to use the interface vlans on the ASA not core. so the gateway of each server will be the ASA.
what is the problem here? why it is not recommended?
I'm using ASA clustering as well over two DCs.
In Cisco links they explain why to use Transparent mode, but i couldn't find what is the problems/limitation in using routed mode?
Any clue?
Thanks & Regards,
Rami
04-12-2015 10:10 PM
I wasn't aware Cisco were recommending transparent mode.
To be honest its probably a sales thing, think about the big flaw of transparent mode firewalls, you have to route in one interface and route out the other. Whereas a routed firewall can have many interfaces and subnets coming into it as you like.
So with transparent mode when the network grows have to buy a second piece of hardware for each new network.
04-13-2015 06:24 AM
but in my case it is new design and i want to use the interface vlans on the ASA not core. so the gateway of each server will be the ASA.
If that's the case use routed mode on your ASA.
Cisco's design docs are a great place to start but there is nothing that says you have to follow them to the letter, you modify them to fit with what you need.
Bear in mind as well that it's not an either or choice. With contexts you can have some in transparent mode and some in routed mode so you have flexibility.
I don't know what design guides you are referring to but it may be that they include some L2 features eg.
a long while back we wanted to RRI (Reverse Route Injection) from a CSM load balancer that was behind a firewall. For it to work the CSM had to be L2 adjacent to the 6500 which meant you couldn't use the FWSM in L3 mode.
Not saying you want to do that but it is an example of where other parts of the design can dictate how you run your firewalls.
Jon
04-27-2015 12:13 PM
Some systems guys don't like to have a firewall as the next hop out of the DC. They probably don't like any firewall being there at all and like to blame the firewall for any connectivity issues. Transparent mode helps. Just a thought.
04-27-2015 12:15 PM
Some systems guys don't like to have a firewall as the next hop out of the DC. They probably don't like any firewall being there at all and like to blame the firewall for any connectivity issues. Transparent mode helps. Just a thought.
04-27-2015 12:18 PM
Some systems guys don't like to have a firewall as the next hop out of the DC. They probably don't like any firewall being there at all and like to blame the firewall for any connectivity issues. Transparent mode helps. Just a thought.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide