ASA in Transparent mode

Brian Green · ‎09-21-2015

Hello,

I have an ASA firewall (a 5550) running in routed mode with three different IPs on it and it is doing fine. Now people want to change the config to transparent mode, with two inside interfaces and one outside - so the two inside networks would be separate subnets. So:

A

|

[ASA]

^

/ \

B C

Is this possible? B & C would have different rules as they are different zones. Requests coming from A would already be on the correct network when it reaches the ASA using a router, since I know that in transparent mode the ASA won't look at the network address.

Thanks,

Brian

Jon Marshall · ‎09-21-2015

Brian

You can't do this.

In transparent mode you have the same IP subnet on both sides because by definition a transparent firewall is L2 not L3.

So you cannot have an IP subnet on the outside and then two different IP subnets on the inside.

What is the reasoning behind wanting to change it ?

Jon

Brian Green · ‎09-21-2015

They want to replicate what is in Production - but adding a "DMZ" network. If "B" and "C" were in the same subnet, would that work? And would I need another switch behind the ASA, or could I use multiple interfaces on the ASA and designate them all inside the same subnet?

As you can probably tell, I am not an ASA guru!

Thanks,

Brian

John Forester · ‎09-21-2015

Hi Brian,

For a 5550, I believe you will need a layer 2 (or better) switch. You could then designate a bunch of ports for that VLAN, and a separate port(s) for the DMZ.

If you had a 5505 you could create a regular VLAN and assign several ports on the same VLAN, and designate a DMZ port - the base licensed model supports 3 VLANs I believe, but its a 5505 vs a 5550. Even though the 5550 is end of life, I think it has more processing power than a 5505.

Good luck

Brian Green · ‎09-22-2015

Thanks! So now I'm looking at changing the layout somewhat to introduce a L2 switch:

A

|

[ASA]

|

[Switch]

| |

B C

Brian