08-13-2019 09:30 AM - edited 02-21-2020 09:23 AM
Can an ASA running later code (ex: 9.6) support running in one-armed transparent mode? Assuming 2 interfaces in a BVI and both physically connecting to the same upstream/downstream switch. This would require the ASA to stitch 2 different vlans on the upstream switch together while they are in the same subnet and BVI on the ASA.
08-13-2019 01:21 PM
I have done that some time ago with my home-office ASA to separate the various DMZs (IoT stuff and such) from the rest of the network. Yes, that works.
08-13-2019 01:39 PM
I forgot to add that there would be 2 physical interfaces connecting the switch to the ASA transparent fw. Both physical ports will be trunks with multiple vlans. Each physical link will have multiple vlans each tied to a different BVI on the ASA. For example we may have vlan 10 on physical port 1 mapped to BVI 1. On physical port 2 we may have vlan 110 also mapped to BVI 1. The traffic would flow through the ASA between vlan 10 and vlan 110. This means that there will be different vlan tags for the BVI 1 traffic on physical port 1 and physical port 2. I'm hoping this doesn't confuse the ASA. This would be similar to what you do with IPS inline vlan pairs.
Would this be supported?
08-13-2019 11:30 PM
I don't remember exactly as this setup is not in place any more. But I had multiple DMZs, so it probably was exactly what you describe.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide