ASA Routed to Transparent

Mohammed Faiz Mohiuddin · ‎01-15-2013

Dear Netpro Experts,

We have a client who has an ASA 5550 with 8.3 and having 12 different subnets passing traffic without nat. Its running in Routed mode at the moment. Thay have a proposal from their internal team to convert the Firewall into Transparent mode and use Etherchannel so that they can bundle their all the multiple segments togather and use them more efficiently. So in this case the L3 switch will be acting as a default gateway for all the VLANS respectively with the proper SVI's configured, correct ? Please share any needed documents / experiences anyone.

Thanks and Regards

Faiz

Karsten Iwen · ‎01-15-2013

My personal opinion is to use the transparent firewall only if it is really needed. That's the case if you want to insert a firewall into a given infrastructure but you don't want to or you can't change the addressing on one end. The reason behind this is that the routed mode firewall behaves as expected. But the transparent firewall has some (mostly documented) restrictions and shortcomings. And the troubleshooting of a transparent firewall is different and can take longer if you are not used to that operating-model.

The security-controlls will be the same, so from a security-standpoint it doesn't matter what you use.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Mohammed Faiz Mohiuddin · ‎01-15-2013

Dear Karsten,

Thanks for the valuable feedback. I told my client the same thing that to use a Transparent mode only if you really require it. But they insisted me to setup a lab and test this setup and share the findings. So I have setup a lab with ASA 5520 with 8.4 and changed it to Transparent mode. I just need a good document to go forward.

Regards

Faiz

Karsten Iwen · ‎01-15-2013

Did you read the corresponding chapter of the config-guide? That's the most relevant info to get started.

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/mode_fw.html

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

kcnajaf · ‎01-15-2013

Hi Fiaz,

Surprsisingly i was doing the Transparent firewall configuration this morning and this is how i have done it.

This was to bridge two ip subnets.

VLAN 451 and 551 was using the same ip (192.168.39.128/28) range on inside and outside interface.

VLAN 452 and 552 was using the same ip (192.168.44.128/28) range on inside and outside interface.

I assume you will be able to figure out the logic from here and adapt to 12 subnets like you want.

Hope that helps.

Regards

Najaf

Please rate when applicable or helpful !!!

Karsten Iwen · ‎01-15-2013

While reading Najafs post I just realize that you want to protect 12 subnets. As you can only configure eight Bridge-groups, it won't scale to that limit in single-mode. You have to convert to multiple-context-mode where each context can have eight bridge-groups.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni

Mohammed Faiz Mohiuddin · ‎01-15-2013

Thanks to both of you guys Karsten and Najaf. I will check the documents and Najaf's config to figure out how to proceed. Lets see how it goes as still I dont know whether what I am trying to do is achievable or not. Still I have not found any sample document about the use of Etherchannel in Transparent mode.

Regards

Faiz

Karsten Iwen · ‎01-15-2013

Etherchannel is also supported in transparent mode.

--
Don't stop after you've improved your network! Improve the world by lending money to the working poor:
http://www.kiva.org/invitedby/karsteni