Figured it out. I now have

Dustin Flint · ‎01-05-2015

I am trying to use a 5505 in transparent mode. I have always used routed mode previously, so I am sure I am missing something simple. Essentially we are creating a shared network space with another IT entity. We are using a class C address space in total, but splitting it in half between each group. My understanding is that if I want to have a FW on our side, i need to have it in transparent mode since it is all one address space. I am having trouble communicating with the other side. I am essentially ont the 172.16.3.128/25 suide. I am unable to pass traffic/ping the other side, 172.16.3.1. If I take the FW out completely and jsut put a router in it works fine, so I know I am missing something on the ASA configuration, and have tried all kinds of route and acl settings. A basic network layout is attached along with the FW config. Any help would be appreciated.

Rishabh Seth · ‎01-06-2015

Transparent mode: In transparent mode the ASA resides on a link between two devices on same network.

As per your network design you have your ASA connecting two different networks, 172.16.3.1/25 and 172.16.3.128/25.

If you want you make two subnets communicate with each other you can use ASA in router mode itself.

If possible, provide more information about your network requirement.

Hope it helps.

Dustin Flint · ‎01-06-2015

In routed mode, I can not have an outside interface and inside interface on the same subnet, which is what I need. So If I use a /24 instead of a slash /25, and everything is in the same subnet, how do firewall rules work if I need top separate traffic from 172.16.5.1-127 from traffic from 128-254. If they are on the same subnet wont traffic just bypass the firewall since they are on the same subnet?

Rishabh Seth · ‎01-06-2015

If your requirement is to just separate /24 address space into two halves and monitor the traffic between these new subnets then it is possible in router mode itself.

You can assign one IP from 172.16.5.1-127/25 address space to your inside interface.

Similarly one IP from 172.16.5.128-255/25 address space to your outside interface.

And configure users sitting behind inside interface to have default gateway as inside interface's IP. Similarly configure users behind outside interface with default gateway as outside interface's IP.

When you break the subnet from /24 to /25, the communication between two /25 subnets will be through ASA. So you can configure ACLs to monitor traffic.

Hope it helps.

Dustin Flint · ‎01-06-2015

Risseth, thanks for the response.

There lies my problem. That's how I want to do it, however, I do not have control of the 172.16.5.1-127 space, that is going to be used by another IT entity. Therefore my outside and inside interface has to be on the same subnet.

So my understanding is I have to do this in transparent mode, however I will still need to be able to filter traffic from the 172.16.5.1-127 from the 172.16.5.128-254 space I am using.

I was just going to create a bridge group with the /25 mask and assign it 172.16.5.129, with a static route to 172.16.5.1 on the other side. Then do ACLs accordingly. However, this does not seem to be working properly.

Is my thinking here incorrect?

Rishabh Seth · ‎01-06-2015

[device1]--------[ASA]-------[device2]

Are device1 and device 2 in same /25 subnet?

================================================================

refer the following link for transparent firewall:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/fwmode.html

Dustin Flint · ‎01-07-2015

No they are in the same /24 subnet

Dustin Flint · ‎01-22-2015

Figured it out. I now have this working

ASA5505 Transparent mode