12-10-2012 04:56 PM - edited 03-11-2019 05:35 PM
Hi! I have a question regarding transparent firewalls using BVIs.
Based from the diagram above, ASA1 is in Transparent mode.
Port Gi0 is assigned BVI-1 and port Gi1 is assigned BVI-2.
Is it possible for network 1 to communicate with network 2 ?
The traffic will be passing through Firewall towards the router, The router will do the routing and then forward it back to the firewall then towards network 2?
I am thinking of making port Gi2 of the firewall a trunk and use subinterfaces in order to forward BVI headers to the router.
12-11-2012 06:55 AM
Hi Franzis,
In transparent mode you can use only two interfaces which have to be on the same subnet:
- The transparent security appliance uses an inside interface and an outside interface only. If your platform includes a dedicated management interface, you can also configure the management interface or subinterface for management traffic only.
In single mode, you can only use two data interfaces (and the dedicated management interface, if available) even if your security appliance includes more than two interfaces.
- Each directly connected network must be on the same subnet.
Source link:
Regards
Mariusz
12-11-2012 04:46 PM
Hello Franzis and Mariusz,
Mariusz that is true but on the newer versions it is possible to split the ASA into different BVIs groups so you can use more than one interface.
http://ciscoasafirewall.blogspot.com/2011/06/cisco-asa-firewall-in-transparent.html
Now how to make that happen Franzis, the outside router will need to perform the routing for you, so traffic must exit the ASA go to an outside layer 3 device and go back to the different brdige group
Regards
Julio
12-12-2012 12:49 AM
@jcarvaja
Yes, thank you sir for the reply I have also read that one. That ASA 8.4 and above allows us to use BVI upto 8 I think.
I will be connecting a router to port 4 of the firewall.
My question now is what do I configure in the port Gi2 of the firewall and the port of the router?
I tried creating sub interfaces in firewall's Gi2 port.
Ex
interface Gi2.10
Bridge-group 1
vlan 1
interface Gi2.20
Bridge-group 2
vlan 2
is it correct? What do I do with the router's config?
12-12-2012 06:15 AM
Hello,
Okay, Why dont you use a dedicated interface for each bridge group.
And then on the router use 2 interfaces as well and configure it to route to each subnet pointing to the ASA as you were do regularly,
Try that and keep me posted
12-12-2012 05:11 PM
Okay, I will try it now but I need 3 ports for my Inside and one for the out.
I'll setup my lab again and keep you posted.
12-12-2012 05:14 PM
Hello,
Great, let us know the result
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide