Showing results for 
Search instead for 
Did you mean: 


Configure ASA 5545x to allow/filter specific traffic in and out


    I need to configure an ASA 5545 as a pass-through filter for devices (two, with one inside, and two outside interfaces each) that are connected directly to the internet. They do not want to use Firepower. I have configured one-to one NATs for the outside interfaces and plan to re-IP the device outside interfaces as inside, to NAT outside. They cannot define the outside target(s) IP except IP v4 addresses. I just need the firewall to allow specific ports in and out. I used a BVI interface for each of the two devices because they asked that their outside addresses be in different subnets, and there are two devices. However, they are not different now, so I can nix that if I have to. I have a limited Lab capability. I'm just looking for some ideas to compare to see if what I'm proposing is the simplest way to go. I've attached a high level drawing of their proposal. Any ideas would be much appreciated. Thank you.

Rob Ingram
VIP Expert


So you are proposing to connect additional interfaces of the servers directly to the ASA? I've never connected endpoints directly to a firewall, nor would I. I'd recommend connecting the ASA to the DMZ switch. Create a routed port or separate VLAN on the switch and connect the ASA to that, then route traffic out via the ASA. The ACL and NAT on the ASA should then be pretty straight forward.


    Thanks for the reply. The setup they have now just connects all the device outside interfaces to individual ports on a cable modem. They would prefer not to use an additional switch, hence the BVI(s). I've used that to basically create a switch on a 5512x before, but I've not configured two on the same FW. This is mostly being dictated from the employer. I can just use one BVI with one subnet inside, NATed to the outside to simplify things. What I'm struggling with this the traffic from outside in. Most of it may be my limited Lab setup. I want to have some confidence that the setup is working before I rack it up. Thanks again.


I was referring to using the existing "DMZ internal" switch rather than installing another switch.  If the servers have multiple NICs you'd have to create static routes via the different NIC and it becomes a mess. The proposal being dictated to you isn't advisable and very bespoke. I'd keep it simple using some like previously suggested, use the existing switch as the default gateway of all the servers, the switch then determines the routing. You then have the ASA permitting the traffic in > out and out > in + nat.

I have been experimenting with transparent mode. I have a lab setup which I've been able to apply an ACL to filter the requested ports from hosts on the inside network to the gateway outside. I wonder if this might be the way to go? I applied the same ACL outside-in, but I haven't figured out a real way to test from the outside in. I wonder if this might be a workable solution?


Recognize Your Peers
Content for Community-Ad