cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6084
Views
10
Helpful
16
Replies

ASA Transparent Mode For Multiple Subnets

thomaswcisco
Level 1
Level 1

I am looking to replace a FortiGate firewall which is currently working in transparent mode handling mutiple subnets with ASA 5515.  Currently, I am testing transparent mode configuration on ASA 5505, and it will not forward any traffic that is not in the same subnet as IP address assigned to BV interface.

For example, the following configuration works.

10.0.0.3/24 (computer) ---> 10.0.0.2/24 (firewall) ---> 10.0.0.1/24 (computer)

However, the following does not work

10.0.0.3/24 (computer) ---> 10.10.0.2/24 (firewall) ---> 10.0.0.1/24 (computer)

I thought that transparent mode is just a bump in the wire, so why does the IP address/subnet assigned to BV interface affects the traffic?  Is the ASA capable of handling other/multiple subnets in transparent mode other than the subnet assigned to BV interface?

By the way, I used to run PIX 515E 7.2(2) transparent mode filtering multiple subnets.  The current ASA 5505 is on 9.0(1).  Is it the limitation on the ASA 5505 model but not on the more powerful ASA model?

Thank you

1 Accepted Solution

Accepted Solutions

Hello Thomas,

Glad to know that I could help with the answer to your questions,

Please mark it as answered so future users can learn from this.

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

16 Replies 16

Tagir Temirgaliyev
Spotlight
Spotlight

try multiple context

Thank you @ttemirgaliyev, I tried but multiple context is not supported by ASA 5505.

I have an example of PIX configuration in transparent mode filtering multiple subnets.  I was using this configuration in production environment in the past.  I am wondering if ASA 5510 or higher can handle this setup.

: Saved

: Written by enable_15 at 10:57:25.766 UTC Wed Jul 16 xxxx

!

PIX Version 7.2(2)

!

firewall transparent

hostname pixfirewall

enable password xxxxxxxxxx encrypted

names

!

interface Ethernet0

nameif outside

security-level 0

!

interface Ethernet0.1

vlan 1

no nameif

no security-level

!

interface Ethernet1

nameif inside

security-level 100

!

interface Ethernet1.1

no vlan

no nameif

no security-level

!

passwd xxxxxxxxxx encrypted

ftp mode passive

access-list outside extended permit udp any host 10.0.0.210

access-list outside extended permit udp any host 10.0.0.3

access-list outside extended permit tcp any host 10.0.0.110 eq smtp

access-list outside extended permit tcp any host 10.0.0.110 eq www

access-list outside extended permit tcp any host 10.0.0.57 eq smtp

access-list outside extended permit tcp any host 10.0.0.57 eq www

access-list outside extended permit tcp any host 10.0.0.75 eq www

access-list outside extended permit tcp any host 10.0.0.75 eq ftp

access-list outside extended permit tcp any host 10.0.0.75 eq 5003

access-list outside extended permit tcp any host 10.0.0.75 eq 403

access-list outside extended permit tcp any host 10.0.0.75 eq 407

access-list outside extended permit tcp any host 10.0.0.76 eq ftp

access-list outside extended permit tcp any host 10.0.0.2 eq pcanywhere-data

access-list outside extended permit udp any host 10.0.0.2 eq pcanywhere-status

access-list outside extended permit tcp any host 10.0.10.61

access-list outside extended permit tcp any host 10.0.10.62

access-list outside extended permit tcp any host 10.0.10.63

access-list outside extended permit tcp any host 10.0.10.64

access-list outside extended permit tcp any host 10.0.13.225 eq ftp

access-list outside extended permit tcp host 192.168.4.30 host 10.0.17.254 eq telnet

access-list outside extended permit tcp any host 10.0.13.225 eq telnet

access-list outside extended permit tcp any host 10.0.10.61 eq 50

access-list outside extended permit udp any host 10.0.10.61 eq isakmp

access-list outside extended permit tcp any host 10.0.10.62 eq 50

access-list outside extended permit udp any host 10.0.10.62 eq isakmp

access-list outside extended permit tcp any host 10.0.10.63 eq 50

access-list outside extended permit udp any host 10.0.10.63 eq isakmp

access-list outside extended permit tcp any host 10.0.10.64 eq 50

access-list outside extended permit udp any host 10.0.10.64 eq isakmp

access-list outside extended permit tcp any host 10.0.0.219

access-list outside extended permit udp any host 10.0.0.219

access-list outside extended permit udp any host 10.0.10.61

access-list outside extended permit udp any host 10.0.10.62

access-list outside extended permit udp any host 10.0.10.63

access-list outside extended permit udp any host 10.0.10.64

access-list outside extended permit icmp any host 10.0.10.29

access-list outside extended permit tcp any host 10.0.10.29 eq ftp

access-list outside extended permit tcp any gt 1023 host 10.0.10.29 eq ftp-data

access-list outside extended permit tcp any host 10.0.0.110 eq pop3

access-list outside extended permit tcp any host 10.0.0.57 eq pop3

access-list outside extended permit tcp any host 10.0.10.27 eq pcanywhere-data

access-list outside extended permit udp any host 10.0.10.27 eq pcanywhere-status

access-list outside extended permit tcp any host 10.0.10.31 eq pcanywhere-data

access-list outside extended permit udp any host 10.0.10.31 eq pcanywhere-status

access-list outside extended permit tcp any host 10.0.0.222 eq pcanywhere-data

access-list outside extended permit udp any host 10.0.0.222 eq pcanywhere-status

access-list outside extended permit icmp any host 10.0.10.28

access-list outside extended permit tcp any host 10.0.10.28 eq pptp

access-list outside extended permit gre any host 10.0.10.28

access-list outside extended permit ip any host 10.0.10.28

access-list outside extended permit ip any host 10.0.10.29

access-list outside extended permit tcp any host 10.0.10.25 eq 8234

access-list outside extended permit tcp any host 10.0.17.217 eq 8234

access-list outside extended permit tcp any host 10.0.17.217 eq 8235

access-list outside extended permit tcp any host 10.0.17.217 eq www

access-list outside extended permit ip any host 10.0.10.36

access-list outside extended permit ip any host 10.0.10.37

access-list outside extended permit ip any host 10.0.10.38

access-list outside extended permit ip any host 10.0.10.39

access-list outside extended permit ip any host 10.0.10.40

access-list outside extended permit ip any host 10.0.10.41

access-list outside extended permit tcp any host 10.0.0.235 eq www

access-list outside extended permit tcp any host 10.0.10.2 eq www

access-list outside extended permit tcp any host 10.0.10.2 eq 3389

access-list outside extended permit tcp host 192.168.1.234 host 10.0.0.211 eq 4899

access-list outside extended permit tcp any host 10.0.0.211 eq www

access-list outside extended permit tcp any host 10.0.10.35 eq www

access-list outside extended permit tcp any host 10.0.10.36 eq www

access-list outside extended permit tcp any host 10.0.10.37 eq www

access-list outside extended permit tcp any host 10.0.10.38 eq www

access-list outside extended permit tcp any host 10.0.10.39 eq www

access-list outside extended permit tcp any host 10.0.10.40 eq www

access-list outside extended permit tcp any host 10.0.10.41 eq www

access-list outside extended permit tcp any host 10.0.0.110 eq https

access-list outside extended permit tcp any host 10.0.0.57 eq https

access-list outside extended permit tcp any host 10.0.0.75 eq https

access-list outside extended permit tcp any host 10.0.17.217 eq https

access-list outside extended permit tcp any host 10.0.0.234 eq 220

access-list outside extended permit tcp any host 10.0.0.235 eq https

access-list outside extended permit tcp any host 10.0.10.2 eq https

access-list outside extended permit tcp any host 10.0.0.211 eq https

access-list outside extended permit tcp any host 10.0.10.35 eq https

access-list outside extended permit tcp any host 10.0.10.36 eq https

access-list outside extended permit tcp any host 10.0.10.37 eq https

access-list outside extended permit tcp any host 10.0.10.38 eq https

access-list outside extended permit tcp any host 10.0.10.39 eq https

access-list outside extended permit tcp any host 10.0.10.40 eq https

access-list outside extended permit tcp any host 10.0.10.41 eq https

access-list outside extended permit tcp any host 10.0.10.35 eq 8234

access-list outside extended permit tcp any host 10.0.10.36 eq 8234

access-list outside extended permit tcp any host 10.0.10.37 eq 8234

access-list outside extended permit tcp any host 10.0.10.38 eq 8234

access-list outside extended permit tcp any host 10.0.10.39 eq 8234

access-list outside extended permit tcp any host 10.0.10.40 eq 8234

access-list outside extended permit tcp any host 10.0.10.41 eq 8234

access-list outside extended permit tcp any host 10.0.10.35 eq 8235

access-list outside extended permit tcp any host 10.0.10.36 eq 8235

access-list outside extended permit tcp any host 10.0.10.37 eq 8235

access-list outside extended permit tcp any host 10.0.10.38 eq 8235

access-list outside extended permit tcp any host 10.0.10.39 eq 8235

access-list outside extended permit tcp any host 10.0.10.40 eq 8235

access-list outside extended permit tcp any host 10.0.10.41 eq 8235

access-list outside extended permit udp any host 10.0.0.222

access-list outside extended permit gre any any

access-list outside extended permit ip host 10.0.10.28 any

access-list outside extended permit ip host 10.0.0.211 any

access-list outside extended permit ip host 10.0.10.35 any

access-list outside extended permit ip host 10.0.10.36 any

access-list outside extended permit ip host 10.0.10.37 any

access-list outside extended permit ip host 10.0.10.38 any

access-list outside extended permit ip host 10.0.10.39 any

access-list outside extended permit ip host 10.0.10.40 any

access-list outside extended permit ip host 10.0.10.41 any

access-list outside extended permit ip host 10.0.0.222 any

access-list outside extended permit ip host 10.0.0.234 any

access-list outside extended permit icmp host 10.0.0.234 any

access-list outside extended permit tcp any host 10.0.0.235 eq 3389

access-list outside extended permit ip host 10.0.0.254 any

access-list outside extended permit tcp any host 10.0.0.2 eq 3389

access-list outside extended permit tcp any host 10.0.13.240 eq 5900

access-list outside extended permit udp any host 10.0.13.240 eq 5900

access-list outside extended permit tcp any host 10.0.13.240 eq 3283

access-list outside extended permit udp any host 10.0.13.240 eq 3283

access-list outside extended permit tcp any host 10.0.13.240 eq ssh

access-list outside extended permit tcp any host 10.0.10.12 eq www

access-list outside extended permit tcp any host 10.0.0.212 eq www

pager lines 24

mtu outside 1500

mtu inside 1500

ip address 10.0.0.230 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

access-group outside in interface outside

route outside 0.0.0.0 0.0.0.0 10.0.0.254 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

snmp-server host inside 10.0.0.234 community xxxx

no snmp-server location

no snmp-server contact

snmp-server community xxxx

snmp-server enable traps snmp authentication linkup linkdown coldstart

snmp-server enable traps syslog

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 outside

ssh 0.0.0.0 0.0.0.0 inside

ssh timeout 60

console timeout 0

!

!

prompt hostname context

Cryptochecksum:c887f562a196123a335c5ebeba0ad482

: end

Hello Thomas,

I thought that transparent mode is just a bump in the wire, so why does the IP address/subnet assigned to BV interface affects the traffic?  Is the ASA capable of handling other/multiple subnets in transparent mode other than the subnet assigned to BV interface?

  • Each directly connected network must be on the same subnet.

That's one of the transparent firewall limitations.

Also no need to run Multiple-context for this, You can now use more than one BVI and that will fix the problem.

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi Julio,

Thank you for your reply, I continue to test this in many different ways but getting same result.

10.0.0.3 (computer) -(inside interface)-> 10.0.0.10 (firewall) -(outside interface)-> 10.0.0.2 (computer) = success

10.0.0.3 (computer) -(inside interface)-> 10.10.0.10 (firewall) -(outside interface)-> 10.0.0.2 (computer) = fail

Below is the log message I receive when I change BVI ip address to 10.10.0.10.

%ASA-2-106006: Deny inbound UDP from 10.0.0.2/50871 to 239.255.255.250/1900 on interface outside

%ASA-2-106006: Deny inbound UDP from 10.0.0.2/50871 to 239.255.255.250/1900 on interface outside

%ASA-2-106006: Deny inbound UDP from 10.0.0.2/50871 to 239.255.255.250/1900 on interface outside

%ASA-2-106006: Deny inbound UDP from 10.0.0.2/50871 to 239.255.255.250/1900 on interface outside

%ASA-2-106006: Deny inbound UDP from 10.0.0.2/138 to 10.0.0.255/138 on interface outside

%ASA-2-106006: Deny inbound UDP from 10.0.0.2/50871 to 239.255.255.250/1900 on interface outside

%ASA-2-106006: Deny inbound UDP from 10.0.0.2/50871 to 239.255.255.250/1900 on interface outside

%ASA-2-106006: Deny inbound UDP from 10.0.0.2/50871 to 239.255.255.250/1900 on interface outside

%ASA-2-106006: Deny inbound UDP from 10.0.0.2/50871 to 239.255.255.250/1900 on interface outside

I looked up 106006 and below is the definition.

"Error Message    %PIX|ASA-2-106006: Deny inbound UDP from outside_address/outside_port

to inside_address/inside_port on interface interface_name.

Explanation    This is a connection-related message. This message is displayed if an inbound UDP packet is denied by the security policy that is defined for the specified traffic type.

Recommended Action    None required."

I tried assigning more than one IP address to one BV interface, but it didn't take it.  Is there command "ip address x.x.x.x x.x.x.x secondary" like on the router for BV interface?

Thank you again, this has been the main obstacle for me in Fortigate-to-ASA migration project.

Hello Thomas,

My pleasure to help,

Did you check my latest post?

I mean the thing is that for the ASA on transparent mode the IP address must belong to the same subnet where is being set on.

So in this case you could use to BVIs :

One with an IP on the 10.10.10.x subnet the 10.10.10x subnet

And other with the IP address of 10.0.0.x but to connect the 10.0.0.x

Let me know if you still have any questions.

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Hi Julio,

Thanks again for your help, I will give it a try next week.  I have to leave town soon.  I will post my progress once I am back.

Thomas

Hello Thomas,

My pleasure to help,

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Tagir Temirgaliyev
Spotlight
Spotlight

try this

10.0.0.3/24 (computer) ---> 10.10.0.2/8 (firewall) ---> 10.0.0.1/24 (computer)

thomaswcisco
Level 1
Level 1

Thank you all, after spending a bit of time researching, I believe that ASA cannot be the direct replacement of the current Fortigate firewall we have due to its limitation.

"Bridge group traffic is isolated from other bridge groups; traffic is not routed to another bridge group within the ASA, and traffic must exit the ASA before it is routed by an external router back to another bridge group in the ASA."

"Note The ASA does not support traffic on secondary networks; only traffic on the same network as the management IP address is supported."

Thomas

Hello Thomas,

Glad to know that I could help with the answer to your questions,

Please mark it as answered so future users can learn from this.

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Thank you Julio

Hello

Try placing the command in the system "arp permit-nonconnected"

Regards,

vijay1926
Level 1
Level 1

In  ASA transparent mode, Why it is necessary to keep management ip in the same subnet to that of connected network?

what if I keep management ip in diffrent subnet than that of connected network?

If I do so does the traffic move through the asa and why?

thanxs.

Hello Vijay,

As you say you can use another one, That's correct but the thing is that the management IP is not only used for management purporses.

That's were you are missing the point.

That IP address assigned to the ASA as a whole will also be used for ARP requests when the ASA does not know where the destination hosts lies and it's not on the same subnet than the ASA.

It will also be used as a source for packets going to a syslog server, AAA server, Netflow server, SNMP server and any packet that the ASA will need to create so with that in mind the routing of the network will need to be changed to work with this.

If you get to accomplish that the routing of the network works with a different Management IP address on the transparent address then you can do it. I can ensure you I have seen this scenario before working with no issues at all bud.

Just to remember rate all of the helpful posts like this one

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: