Solved: Public IPs passthrough with Cisco ASA 5508-X

PedyMaster · ‎02-08-2016

Hi there,

I have a x.x.x.0/24 network from our ISP - x.x.x.1 is the gateway and that is our ISPs router.

Right now, I have several servers with two network interfaces, one in this, public, network and other in LAN. These servers have only IPtables rules to protect them. We would like to raise the security a bit, so we would like to have ASA monitoring all the traffic.

I know that one of my option is to have all public IPs on ASA and NATing to the private addresses, but we would like to preserve the system "as is" which means to really passthrough the public network through ASA to the servers, so the servers will really have the public IP.

Something like this:

|ISP| ---- |ASA| ---- |servers|

The idea is to have ASA monitoring the traffic going through and allowing only some protocols and therefore raising the security (sort of supplementing the IPtables).

Is something like that possible or am I stuck wit NATing?

Thanks for all your time!

Rishabh Seth · ‎02-08-2016

ASA can be deployed in transparent mode as well, in such case the ASA will act as bump in the wire and will be able to apply security checks. There are some feature which may operate in routed mode and not in transparent mode, you can refer configuration guide to learn more about it.

Here is a link you can refer to understand how asa is deployed in transparent mode and how the traffic flow is:

http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/97853-Transparent-firewall.html

Thanks,

R.S.

Rate if it helps

View solution in original post

Rishabh Seth · ‎02-09-2016

Newer version of ASA supports mixed mode of operations, which means you can have multiple contexts on firewall and they can operate in transparent or routed mode irrespective of each-other.

Regarding VPN on ASA 9.5:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/vpn/asa-95-vpn-config/vpn-ike.html#ID-2441-000000bc

Thanks,

RS

Rate useful answers.

View solution in original post

Rishabh Seth · ‎02-08-2016

ASA can be deployed in transparent mode as well, in such case the ASA will act as bump in the wire and will be able to apply security checks. There are some feature which may operate in routed mode and not in transparent mode, you can refer configuration guide to learn more about it.

Here is a link you can refer to understand how asa is deployed in transparent mode and how the traffic flow is:

http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/97853-Transparent-firewall.html

Thanks,

R.S.

Rate if it helps

PedyMaster · ‎02-09-2016

Thanks for you answer, this was exactly what I was looking for, I just did not know what to search for exactly!

Do I understand it correctly from the manual, that ASA cannot work in both transparent and routed modes at once?

The setup I was looking for was for ASA to be transparent firewall for the mentioned public network AND gateway for LAN network (with NAT and some site-to-site VPN tunnels and so on)

Thanks again!

Rishabh Seth · ‎02-09-2016

Newer version of ASA supports mixed mode of operations, which means you can have multiple contexts on firewall and they can operate in transparent or routed mode irrespective of each-other.

Regarding VPN on ASA 9.5:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa95/configuration/vpn/asa-95-vpn-config/vpn-ike.html#ID-2441-000000bc

Thanks,

RS

Rate useful answers.