cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1463
Views
0
Helpful
1
Replies

Transparent ASA and Mac-Address's

kenneth.meyers
Level 1
Level 1

Experts,

    I’ve recently installed a pair of 5525X’s in transparent mode to protect some internal segments.  In reading about transparent mode I thought I read that the ASA will “proxy” the connection when going from the Layer 3 side (North) to the actual physical South side host.  For an “Outside/North” host (vlan 700) to talk to an “Inside/South) host (vlan 800) the ASA will pass it’s mac-address to the outside host (or gateway) as the destination to send the packet.  Prior to building this infrastructure I thought I would see all ARP entries on the Layer 3 (North) side to have a mac-address of the interface of the ASA for all protected hosts.  I do not see that on the SVI interface but do see the real mac-address of the “South” side protected machine. When looking on a protected machine I do see the default-gateway ARP entry to be the actual mac-address of the SVI on the switch and not the mac-address of the ASA which I thought would be the case as well.   Everything is working as advertised (or so I think) as removing or adding ACL’s does limit or allow traffic so it appears to be working.  I’m just checking that my initial assumption of the mac-address of the ASA being on every ARP entry was/is incorrect. From what I can tell the ASA passes the mac-address's from each side of the bridge-group to the other.

Thanks,

Ken

1 Accepted Solution

Accepted Solutions

barry
Level 7
Level 7

Hi Ken

Yes, this is correct. In transparent mode, the ASA is effectively a passive device in this perspective. The devices on either side of the ASA will see the "real" MAC addresses.

Note this behaviour will change if you configure NAT on the ASA.

HTH.

Barry Hesk

Intrinsic Network Solutions

View solution in original post

1 Reply 1

barry
Level 7
Level 7

Hi Ken

Yes, this is correct. In transparent mode, the ASA is effectively a passive device in this perspective. The devices on either side of the ASA will see the "real" MAC addresses.

Note this behaviour will change if you configure NAT on the ASA.

HTH.

Barry Hesk

Intrinsic Network Solutions

Review Cisco Networking for a $25 gift card