Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
592
Views
0
Helpful
4
Replies

asa transparent multiple subnets

cisco8887
Level 2
Level 2

‎09-21-2015 12:10 AM - edited ‎03-12-2019 06:08 PM

Hi All,

 

 

If you want to configure a firewall as transparent, you need to have an ip per subnet between the networks it is serving , correct ? if so why this is needed? Arp requests from asa?

 

 

if you have multiple subnets through the asa, do you do trunking as follow

 

inside hosts have the following subnet : 10.0.0.0/24 and 10.0.1.0/24

the router has the following ip: 10.0.0.1 and 10.0.1.1

would the firewall config be something like 

 

 

interface gig 0 

no shut

 

interface gig0.10

encapsulation dot1 10

nameif inside1

bridge-group-10

no shut

 

interface gig0.20

encapsulation dot1 20

nameif inside2

bridge-group-20

no shut

 

 

interface gig 1

no shut

 

interface gig1.10

encapsulation dot1 10

nameif outside1

bridge-group-10

no shut

 

interface gig1.20

encapsulation dot1 20

nameif outside2

bridge-group-20

no shut

 

 

 

int bvi 10

ip address 10.0.0.2 

int bvi 20 

ip address 10.0.1.2 

 

 

and then trunking on switch side (hosts) and router on stick on router side?

 

many thanks

 

 

Labels:
0 Helpful
4 Replies 4

cisco8887
Level 2
Level 2

‎09-23-2015 12:34 AM

Found my answer and here it is for anyone wanting to do it in future

 

interface gig 0 

no shut

 

interface gig0.10

encapsulation dot1 10

nameif inside1

bridge-group-10

no shut

 

interface gig0.20

encapsulation dot1 20

nameif inside2

bridge-group-20

no shut

 

 

interface gig 1

no shut

 

interface gig1.10

encapsulation dot1 11

nameif outside1

bridge-group-10

no shut

 

interface gig1.20

encapsulation dot1 21

nameif outside2

bridge-group-20

no shut

 

 

 

int bvi 10

ip address 10.0.0.2 

int bvi 20 

ip address 10.0.1.2 

 

 

you need to setup up one side of the trunk to use 10 and 20 and other side to use 11 and 21

 

10 is bridged to 20

 

11 is bridged to 21

 

hope this helps anyone with the same problem .

0 Helpful

tlienskt
Level 1
Level 1
In response to cisco8887

‎11-19-2015 07:54 AM

Can you post your working config?  I have been trying to set this up no have no luck with.  Trying to pass 3 vlans through.  I'm showing link lights but no traffic passing or even hitting the ASA.

3750 - ASA5510 -3650

dot1q                   dot1q trunk

0 Helpful

cisco8887
Level 2
Level 2
In response to tlienskt

‎11-22-2015 11:32 AM

Hi There,

I did it in a lab environment so don't have the configuration.

Your setup will need to be one side receiving one vlan and the other leaving in another vlan as per my earlier post

for instance to pass traffic between two vlans on same subnet using transparent mode, here is what you do

setup 0.10 and the switch side of it as passing vlan 10

setup 1.10 and the switch swide of it as passing vlan 11

bridge 0.10 and 1.10 together using bridge group x for instance 10

that should pass all traffic through

make sure you have nameif on each interface such as 0.10 and 1.10

0 Helpful

tlienskt
Level 1
Level 1
In response to cisco8887

‎11-19-2015 07:55 AM

1

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card