cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1672
Views
0
Helpful
10
Replies

ASA Transparent Mode quick question

Hello Community, 

Can you please confirm if we still have the restriction of only being able to use two interfaces when the ASA is in transparent mode? 

Even in 9.2 code? 

Thanks,

10 Replies 10

jason.loera
Level 1
Level 1

Transparent mode implies the ASA is a layer two "bump on the wire". My guess is yes, you can only use two interfaces since you're logically on the same VLAN upon entry and exit.

Thank you for your response. 

My understanding is that you're on the same Layer 3 subnet but on different VLANs upon entry and exit. And my confusion is that the documentation says you can have up to 8 bridge groups (each bridge group belonging to a separate subnet). 

So I'm not sure if that means you can have up to 8 different DMZs directly connected to the ASA?

 

Bridge groups for transparent mode

8.4(1)

If you do not want the overhead of security contexts, or want to maximize your use of security contexts, you can group interfaces together in a bridge group, and then configure multiple bridge groups, one for each network. Bridge group traffic is isolated from other bridge groups. You can configure up to eight bridge groups of four interfaces each in single mode or per context.

We introduced the following commands: interface bvi , show bridge-group .

You can have multiple networks connected to the back end. Cisco's documentation is confusing on this, however. In my experience, I was able to accomplish this by using a router on each end of the firewall. The internal router acted as the gateway for all of my internal networks whereas the external router was my WAN-facing router. It was more costly and not an ideal solution, but it worked.

Thank you for your help. 

In version 7.x this is what the documentation says: 

The transparent security appliance uses an inside interface and an outside interface only. If your platform includes a dedicated management interface, you can also configure the management interface or subinterface for management traffic only.
In single mode, you can only use two data interfaces (and the dedicated management interface, if available) even if your security appliance includes more than two interfaces.

But since release 8.4(1), you can now use Bridge Groups. 
That mean the above is no longer a restriction and you can have up to 8 directly-connected DMZs? 

I guess the only thing I want to know is if you can have the following: 

 

8 subnets: 192.168.0.0/24 - 192.168.7.0/24 

Each segment directly connected to the ASA, and each one having the default GW the router (not the ASA). 

 

And if so, this means the restriction of only being able to use a single inside/outside interface is no longer there?

Basically the ASA can now handle traffic from 8 different subnets separately in transparent mode? 

You're absolutely right the documentation is not clear! 

Can you please look at this and see if means I can use multiple physical interfaces on the ASA now in transparent mode. 

 

Interfaces in Transparent Mode

Interfaces in transparent mode belong to a “bridge group,” one bridge group for each network. You can have up to 8 bridge groups of 4 interfaces each per context or in single mode. For more information about bridge groups, see Bridge Groups in Transparent Mode.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/general/asa-general-cli/interface-basic.html#pgfId-1324530

 

 

 

As for physical interfaces, yes. You can assign a different VLAN to each interface.

Jason, if I want to do this: 

I have 6 different inside Layer 3 subnets that I need to pass through the ASA in transparent mode to the outside interface. 

 

192.168.15.0/24 

192.168.200.0/24            ——>     ASA  ——>   External Network 

172.16.104.0/22, etc.    

 

I need a router on the inside of the ASA. Cannot do it directly (without the inside router). That's what you're saying? 

 

Thanks!

According to Cisco's documentation, it's possible. However, I've never been able to get it to work. Using the ASA as the router in routed mode would accomplish this, too.

Yes. You can separate each network into a different bridge group. However, at this point, you may be better off using your ASA in routed mode. You'll have more control over internal traffic (i.e. traffic between networks) and your network is more scalable for future growth.

Review Cisco Networking for a $25 gift card