Transparent Firewall with BVI

necxzcisco · ‎12-10-2012

Hi! I have a question regarding transparent firewalls using BVIs.

Based from the diagram above, ASA1 is in Transparent mode.

Port Gi0 is assigned BVI-1 and port Gi1 is assigned BVI-2.

Is it possible for network 1 to communicate with network 2 ?

The traffic will be passing through Firewall towards the router, The router will do the routing and then forward it back to the firewall then towards network 2?

I am thinking of making port Gi2 of the firewall a trunk and use subinterfaces in order to forward BVI headers to the router.

Mariusz Bochen · ‎12-11-2012

Hi Franzis,

In transparent mode you can use only two interfaces which have to be on the same subnet:

- The transparent security appliance uses an inside interface and an outside interface only. If your platform includes a dedicated management interface, you can also configure the management interface or subinterface for management traffic only.

In single mode, you can only use two data interfaces (and the dedicated management interface, if available) even if your security appliance includes more than two interfaces.

- Each directly connected network must be on the same subnet.

Source link:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008089f467.shtml

Regards

Mariusz

Julio Carvajal · ‎12-11-2012

Hello Franzis and Mariusz,

Mariusz that is true but on the newer versions it is possible to split the ASA into different BVIs groups so you can use more than one interface.

http://ciscoasafirewall.blogspot.com/2011/06/cisco-asa-firewall-in-transparent.html

Now how to make that happen Franzis, the outside router will need to perform the routing for you, so traffic must exit the ASA go to an outside layer 3 device and go back to the different brdige group

Regards

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

necxzcisco · ‎12-12-2012

@jcarvaja

Yes, thank you sir for the reply I have also read that one. That ASA 8.4 and above allows us to use BVI upto 8 I think.

I will be connecting a router to port 4 of the firewall.

My question now is what do I configure in the port Gi2 of the firewall and the port of the router?

I tried creating sub interfaces in firewall's Gi2 port.

Ex

interface Gi2.10

Bridge-group 1

vlan 1

interface Gi2.20

Bridge-group 2

vlan 2

is it correct? What do I do with the router's config?

Julio Carvajal · ‎12-12-2012

Hello,

Okay, Why dont you use a dedicated interface for each bridge group.

And then on the router use 2 interfaces as well and configure it to route to each subnet pointing to the ASA as you were do regularly,

Try that and keep me posted

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

necxzcisco · ‎12-12-2012

Okay, I will try it now but I need 3 ports for my Inside and one for the out.

I'll setup my lab again and keep you posted.

Julio Carvajal · ‎12-12-2012

Hello,

Great, let us know the result

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC