Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1675
Views
5
Helpful
3
Replies

Public IPs passthrough with Cisco ASA 5508-X

Go to solution
PedyMaster
Level 1
Level 1

‎02-08-2016 12:45 PM - edited ‎03-12-2019 12:15 AM

Hi there,

I have a x.x.x.0/24 network from our ISP - x.x.x.1 is the gateway and that is our ISPs router.

Right now, I have several servers with two network interfaces, one in this, public, network and other in LAN. These servers have only IPtables rules to protect them. We would like to raise the security a bit, so we would like to have ASA monitoring all the traffic.

I know that one of my option is to have all public IPs on ASA and NATing to the private addresses, but we would like to preserve the system "as is" which means to really passthrough the public network through ASA to the servers, so the servers will really have the public IP.

Something like this:

|ISP| ---- |ASA| ---- |servers|

The idea is to have ASA monitoring the traffic going through and allowing only some protocols and therefore raising the security (sort of supplementing the IPtables). 

Is something like that possible or am I stuck wit NATing?

Thanks for all your time!

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Rishabh Seth
Level 7
Level 7

‎02-08-2016 11:55 PM

ASA can be deployed in transparent mode as well, in such case the ASA will act as bump in the wire and will be able to apply security checks. There are some feature which may operate in routed mode and not in transparent mode, you can refer configuration guide to learn more about it.

Here is a link you can refer to understand how asa is deployed in transparent mode and how the traffic flow is:

http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/97853-Transparent-firewall.html

Thanks,

R.S.

Rate if it helps

View solution in original post

Go to solution
Rishabh Seth
Level 7
Level 7
In response to PedyMaster

‎02-09-2016 01:14 AM

Newer version of ASA supports mixed mode of operations, which means you can have multiple contexts on firewall and they can operate in transparent or routed mode irrespective of each-other.

Regarding VPN on ASA 9.5: 

http://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/vpn/asa-95-vpn-config/vpn-ike.html#ID-2441-000000bc

Thanks,

RS

Rate useful answers.

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Rishabh Seth
Level 7
Level 7

‎02-08-2016 11:55 PM

ASA can be deployed in transparent mode as well, in such case the ASA will act as bump in the wire and will be able to apply security checks. There are some feature which may operate in routed mode and not in transparent mode, you can refer configuration guide to learn more about it.

Here is a link you can refer to understand how asa is deployed in transparent mode and how the traffic flow is:

http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/97853-Transparent-firewall.html

Thanks,

R.S.

Rate if it helps

Go to solution
PedyMaster
Level 1
Level 1
In response to Rishabh Seth

‎02-09-2016 12:26 AM

Thanks for you answer, this was exactly what I was looking for, I just did not know what to search for exactly!

Do I understand it correctly from the manual, that ASA cannot work in both transparent and routed modes at once?

The setup I was looking for was for ASA to be transparent firewall for the mentioned public network AND gateway for LAN network (with NAT and some site-to-site VPN tunnels and so on)

Thanks again!

0 Helpful

Go to solution
Rishabh Seth
Level 7
Level 7
In response to PedyMaster

‎02-09-2016 01:14 AM

Newer version of ASA supports mixed mode of operations, which means you can have multiple contexts on firewall and they can operate in transparent or routed mode irrespective of each-other.

Regarding VPN on ASA 9.5: 

http://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/vpn/asa-95-vpn-config/vpn-ike.html#ID-2441-000000bc

Thanks,

RS

Rate useful answers.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card