Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
894
Views
4
Helpful
3
Replies

ASA transparent firewall working with remote network?

anirudhkaushik
Level 1
Level 1

‎09-25-2013 09:33 PM - edited ‎03-11-2019 07:43 PM

Hi Experts,

I need some clarification on remote network traffic forwarding on ASA Transparent firewall. As we know that ASA attempts to discover the destination MAC address by sending an ARP request or a ping. Same subnet ARP works fine, but I need clarification about the remote network where ASA tries to ping the remote network to learn the destination MAC or forwarding interface. cisco also says -The first packet is dropped.  What happen if ping not allowed on remote host for example webserver ? how a user behind the Transparent firewall can access the web server?

Labels:
0 Helpful
3 Replies 3

Julio Carvajal
VIP Alumni
VIP Alumni

‎10-02-2013 11:06 AM

Hello Sr,

Here is the thing:

The Firewall on Transparent mode should be connected to the same subnet that its BVI Ip address is.

Now what happens when a L2 switch receives a packet for a MAC address that does not know?

It will send an unknown Unicast (paquet being forwarded out of all the interfaces in the same VLAN).

Obviously for security purposes the ASA will not do that. Instead it relies on 2 different processes:

1)The ARP check

  • Used when the destination IP address is on the same subnet
  • An ARP packet will be send out of all the interfaces in the BVI to learn the destination MAC address

2)The ICMP check

  • Used when the destination IP address in on a different subnet
  • The ASA will source an IP packet from it's BVI IP address going to the destiantion address with a TTL of 1, Expecting that the gateway leading to that device replies with an ICMP time Exceeded message.

As you can see the ICMP packet is not intended to reach the destination host but the L3 device that lead us to it.

I think I have answer your questions right

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

anirudhkaushik
Level 1
Level 1
In response to Julio Carvajal

‎10-02-2013 07:10 PM

Thanks Julio, your answer clears the point. Just want to know, did you find some cisco text stating the above statement. If so please provide the link.

0 Helpful

Julio Carvajal
VIP Alumni
VIP Alumni
In response to anirudhkaushik

‎10-02-2013 10:18 PM

Hello Anir,

Glad to hear that.

That's basically based on my experience with this cases here in TAC.

Not sure if it's here:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008089f467.shtml

You can do captures to probe it

Also remember to mark the question as answered.

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card