Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1006
Views
5
Helpful
3
Replies

ASA transparent mode & IP limit

Go to solution
Turkey Twizzler
Level 1
Level 1

‎01-23-2016 02:08 PM - edited ‎03-12-2019 12:10 AM

Hello, 

I'm trying to add an ASA Firewall to an existing network.

The topology looks a little like this:

192.168.0.0/24 -------> 172.10.1.0/24 (router @172.10.1.1) ------> < new ASA > ---------> (router @ 172.10.1.5) -----> 172.20.1.0/24

In words: 192.168.0.0 is connected to 172.10.1.0 via a router, which goes to another router, which the 172.20.1.0 network is on.  There are routes on all routers so 172.20.1.0 can "see" the 192 network.

I want to place an ASA between the two 172.x routers.  I cannot change the router configs, so I think transparent mode is my only option.

The Cisco manual contains this phrase:

"Note The ASA does not support traffic on secondary networks; only traffic on the same network as the management IP address is supported."

So, will my plan work?  I'm unsure as transparent mode operates as layer 2, but the IP limitation will be layer 3.

Or does the note simply mean that it's not possible to connect two networks into a layer 2 unmanaged switch (eg 192.168.0.0/24 and 172.10.1.0/24) then connect that switch to one of the ASA interfaces?

Thanks for any help!

Dan

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎01-23-2016 03:00 PM

Have you got a link for that quote?  I think you might have taken it out of context.

You should be able to configure two of the interfaces on the ASA as a layer 2 bridge and run it in transparent mode just as you have described.  The two routers will plug directly into ASA interfaces.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Philip D'Ath
VIP Alumni
VIP Alumni

‎01-23-2016 03:00 PM

Have you got a link for that quote?  I think you might have taken it out of context.

You should be able to configure two of the interfaces on the ASA as a layer 2 bridge and run it in transparent mode just as you have described.  The two routers will plug directly into ASA interfaces.

0 Helpful

Go to solution
Turkey Twizzler
Level 1
Level 1
In response to Philip D'Ath

‎01-24-2016 02:26 AM

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/interface_complete_transparent.html#wp1321196

You're probably right;

Each bridge group requires a management IP address. For another method of management, see the "Management Interface" section.

Note The ASA does not support traffic on secondary networks; only traffic on the same network as the management IP address is supported.

So I should have read this as "the ASA does not support management from secondary networks" rather than how I have read it, as "the ASA does not support traffic that's not on BRI IP range."  ?

Thanks!

0 Helpful

Go to solution
Shivapramod M
Level 1
Level 1

‎01-23-2016 05:58 PM

Hi Dan,

Adding to Philip's comment, The transparent mode setting is used as bump in wire and thats what you need here. Firewall in layer 2 does similar work as firewall in L3 other than packet forwarding and some of the feature. But this does not break the broadcast domain like L3 devices.

Yes, your configuration will work. That particular note is only for management traffic not for the pass through traffic. For more information on L2 mode please refer

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/intro_fw.html


Thanks,
Shivapramod M
Please remember to select a correct answer and rate helpful posts

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card