cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1869
Views
0
Helpful
8
Replies

ASA Transparent mode traffic redirection

tran.van.tien
Level 1
Level 1

Hi everyone,

I have two firewall ASA 5585X deployed in transparent mode and two catalyst 6500 VSS (core switches). I want to redirect traffic from core switches to  ASA. How can i do ? I have many VLANs on core switches. Thank you./.

1 Accepted Solution

Accepted Solutions

Hi Tran,

You needs to create multiple virtual interfaces for inside/outisde vlans.

Dont make both port as single trunk. You should use dedicate ports for incoming and outgoing traffic. below is example how you can permit multiple vlans using 2 ports. Attaching design for your reference:

 

Config Example:

Inside Interfaces for all required Vlans (10,20,30...)

Note: These Vlans(10,20,30...) should be configure as L2 inside vlans for host connectivity.

interface TenGigabitEthernet0/0
 no nameif
 no security-level

interface TenGigabitEthernet0/0.10
 vlan 10
 nameif inside1
 bridge-group 1
 security-level xx

interface TenGigabitEthernet0/0.20
 vlan 20
 nameif inside2
 bridge-group 2
 security-level xx

interface TenGigabitEthernet0/0.30
 vlan 30
 nameif inside3
 bridge-group 3
 security-level xx

Outside Interfaces for all required Vlans (100,200,300...)

note:These outside Vlans (100,200,300...) will be configured with L3 SVI on Core Switch

interface TenGigabitEthernet0/1
 no nameif
 no security-level


interface TenGigabitEthernet0/1.100
 vlan 100
 nameif outside1
 bridge-group 1
 security-level xx

interface TenGigabitEthernet0/1.200
 vlan 200
 nameif outside2
 bridge-group 2
 security-level xx

interface TenGigabitEthernet0/1.300
 vlan 300
 nameif outside3
 bridge-group 3
 security-level xx

BVI Interface config for all the allowed Vlans (100,200,300)


interface BVI1
 ip address 192.168.10.9 255.255.255.0 standby 192.168.10.10

interface BVI2
 ip address 192.168.20.9 255.255.255.0 standby 192.168.20.10

interface BVI3
 ip address 192.168.30.9 255.255.255.0 standby 192.168.30.10

 

Thanks

Rajneesh

View solution in original post

8 Replies 8

pokemon284
Level 1
Level 1

a có biết NAT DNS trên ASA ko ạ??? 

Rajneesh Dhiman
Level 1
Level 1

Hi Tran,

In transparent mode of Firewall, you needs to create bridge groups to the vlans at both (in/out) side of firewall.

Example: Configuration on Inside/outside interfaces:

interface TenGigabitEthernet0/6

    vlan 20
    nameif inside
    bridge-group 1
    security-level 100

interface TenGigabitEthernet0/7

    vlan 30
    nameif outside
    bridge-group 1
    security-level 0

Now please configure "BVI" interface with one IP from the same IP Subnet for which you want to pass traffic through firewall:


interface BVI1

ip address 192.168.10.9 255.255.255.0 standby 192.168.10.10  (any free IP can be assigned from subnet)

Now, please allow interested traffic on ouside Interface via access-list. This will redirect traffic through transparent firewall.

 

 

Thank you for your answer,

Let i show you a picture that describes my problem. I have core switches with many VLANs (10,20,30 for example) and i have just purchased 2 ASA 5585X witch 2 port 10Gb. I will connect it to core switches by using trunk links. I want to know how to redirect traffic to ASA with 2 ports and many VLANS. With the solution you suggest i must have many ports :)

Hi Tran,

You needs to create multiple virtual interfaces for inside/outisde vlans.

Dont make both port as single trunk. You should use dedicate ports for incoming and outgoing traffic. below is example how you can permit multiple vlans using 2 ports. Attaching design for your reference:

 

Config Example:

Inside Interfaces for all required Vlans (10,20,30...)

Note: These Vlans(10,20,30...) should be configure as L2 inside vlans for host connectivity.

interface TenGigabitEthernet0/0
 no nameif
 no security-level

interface TenGigabitEthernet0/0.10
 vlan 10
 nameif inside1
 bridge-group 1
 security-level xx

interface TenGigabitEthernet0/0.20
 vlan 20
 nameif inside2
 bridge-group 2
 security-level xx

interface TenGigabitEthernet0/0.30
 vlan 30
 nameif inside3
 bridge-group 3
 security-level xx

Outside Interfaces for all required Vlans (100,200,300...)

note:These outside Vlans (100,200,300...) will be configured with L3 SVI on Core Switch

interface TenGigabitEthernet0/1
 no nameif
 no security-level


interface TenGigabitEthernet0/1.100
 vlan 100
 nameif outside1
 bridge-group 1
 security-level xx

interface TenGigabitEthernet0/1.200
 vlan 200
 nameif outside2
 bridge-group 2
 security-level xx

interface TenGigabitEthernet0/1.300
 vlan 300
 nameif outside3
 bridge-group 3
 security-level xx

BVI Interface config for all the allowed Vlans (100,200,300)


interface BVI1
 ip address 192.168.10.9 255.255.255.0 standby 192.168.10.10

interface BVI2
 ip address 192.168.20.9 255.255.255.0 standby 192.168.20.10

interface BVI3
 ip address 192.168.30.9 255.255.255.0 standby 192.168.30.10

 

Thanks

Rajneesh

Thank you Rajneesh!

Hi Tran Van,

I have the same configurations but I can't  to do PING between  different Vlans  only can to do PING between the same network or the same vlan.

Regards,

Hi jrgonzalezz,

Please check your core switches because it performs routing ;)

When you say "redirect", what do you mean? Do you want to use the ASA as your client gateway? What role do you want the ASAs to perform? Do you want specific access policies for each VLAN? Please explain?

Review Cisco Networking for a $25 gift card