02-06-2014 01:14 AM - edited 03-11-2019 08:41 PM
02-06-2014 01:54 AM
Could you please be more specific as to what does not work. How are you testing, from which IP to which IP is not working? Are you able to ping the switch from the ASA Firewall (not the transparent firewall)?
--
Please remember to rate and select a correct answer
02-06-2014 02:03 AM
Case 1:
From management PC I can ping 10.10.10.10 & 10.10.10.11 but can not ping 10.10.10.1 or 10.10.20.1
Case 2:
Remove ips and directly connect the cable from the switch (gig0/8)to asa firewall (gig0/1) on top. Now I can ping 10.10.10.1 & 10.10.20.2 segment
02-06-2014 03:18 AM
Well seems you have found where the issue is yourself. looks like there is a misconfiguration on the IPS.
--
Please remember to rate and select a correct answer
02-06-2014 03:56 AM
Could you please point me to the misconfiguration & how to resolve it?
Is the above setup supported?
02-06-2014 04:03 AM
Well you have it set to fail-open so it is a little strange that it is not allowing traffic through. You could post the IPS config here and we can have a look and see if we can spot anything out of the ordinary. Otherwise, you might also want to post a question in the IPS/IDS section of the support forum.
--
Please remember to rate and select a correct answer
02-06-2014 04:23 AM
IPS was set to fail open. I have tried this setup without any vlans and it seems to be working.
I strongly suspect multiple vlan in trnasparant mode will not work as ASA can not inspect vlan tagged packets. Correct me if I am wrong.
02-06-2014 04:44 AM
Ok after a little research I think I have found a solution for you ( I am leaving out the policy map configs):
firewall transparent
hostname ASA-IPS
interface GigabitEthernet0/0.20
vlan 20
nameif Outside2
bridge-group 2
security-level 0
interface GigabitEthernet0/0.10
vlan 10
nameif Outside1
bridge-group 1
security-level 0
!
interface GigabitEthernet0/1.22
vlan 22
nameif Inside2
bridge-group 2
security-level 100
interface GigabitEthernet0/1.11
vlan 11
nameif Inside1
bridge-group 1
security-level 100
interface BVI1
ip address 10.10.10.10 255.255.255.0
interface BVI2
ip address 10.10.20.10 255.255.255.0
access-list inside_acl extended permit ip any any
access-list outside_acl extended permit ip any any
access-group outside_acl in interface Outside1
access-group inside_acl in interface Inside1
access-group outside_acl in interface Outside2
access-group inside_acl in interface Inside2
Also make sure that you amend the VLANs on the switch to correspond to the VLANs on the Transparent ASA.
--
Please remember to rate and select a correct answer
02-06-2014 05:17 AM
Thanks, I have tried this but not working.
But it means I need to create as many vlans & BVI's on ASA that exist in between?
02-06-2014 05:41 AM
But it means I need to create as many vlans & BVI's on ASA that exist in between?
From my understanding, yes.
--
Please remember to rate and select a correct answer
02-08-2014 11:57 PM
For me this looks more like a context based firewall. Which BVI IP will be used as ASA source IP? Is it recommended for production environment?
02-09-2014 02:39 AM
Yes, it does look much like a context firewall type config. But the config is limited to the number of bridge groups you are able to configure in single mode (this is limited to 8 BVIs). So this solution is not scalable.
Which BVI IP will be used as ASA source IP?
Each subnet requires that a BVI is configured with an IP within that subnet, otherwise traffic will be dropped. The source IP will be the BVI that is configured for that specific bridge group. So if you are sending logs to a syslog server out an interface that is in bridge group 1, then the IP of BVI 1 is the source IP.
Is it recommended for production environment?
Although I know it is possible to configure the transparent firewall in such a way, I have never seen such a configuration in real life, nor have I ever set it ip in a prod environment. I believe I have never seen it because it is not a scalable solution and will only allow up to 8 VLANs to pass through the tranparent ASA.
I have not been able to find any documentation that says that Cisco will support such a configuration, nor have I found documentation say they will not support it. So implement this solution at your own risk
--
Please remember to rate and select a correct answer
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide