cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3133
Views
5
Helpful
37
Replies

Transparent Mode

amar_5664
Level 1
Level 1

Rather unconventional design that i am trying to test with transparent mode firewall.... attached diagram

 

Clients [VLAN 100] connected on L3 Switch with SVI as default gateway

Firewall using one physical port which is sub-interfaced with INSIDE-100 and OUTSIDE-200 interfaces

What's working

- ICMP when initiated from L3 Switch SVI to Client VLAN 100 works fine as i can see traffic through firewall

 

What's not working

- Packet inspection when ICMP initiated from Client 10.x.100.10 to Client 10.x.100.20 does not go through firewall 

 

As L3 Switch is holding arp and mac, client to client will work. This is where i would like transparent firewall to be the bump and have all client to client traffic go through the firewall. Note the default gateway for the clients is on the L3 switch which cannot be changed. 

 

Will appreciate your comments. I will rather not want to go the routed mode path and test to see if any solution with transparent mode works.

 

 

2 Accepted Solutions

Accepted Solutions

interesting...so you have kept 10.x.100.1 in svi 200. Now this is good for learning but a bad network design.

 

Now here is the deal.

scenario 1:-

When SVI pings any host in 10.x.10.0/24, it assumes all client machine connected in vlan 200. So it will forward mac arp in vlan 200. Once ASA receives it  with vlan tag 200. It switches arp mac header and sends it tagging with vlan 100. So when switch gets it in vlan 100 it forwards it back to all interface in vlan 100.Similar flow works from switch to SVI and ping is successful through ASA.

Scenario 2:-

Now when you ping from Client 10.x.100.10 to Client 10.x.100.20. switch receives it in vlan 100 and forward it to all interface vlan 100 along with vlan 100 tag to ASA. ASA now switches tag of ARP  from 100 to 200 and sends it to switch. Now switch receives it in vlan 200 and ARP dies. So ASA learns mac of only one end.

 

Other host will still get get arp broadcast because of same vlan on switch. Now when the other host arp, it reaches to client directly and both ARP goes on ASA but on same sub-interface 100.

 

Rest you can gather from my discussion with John.

View solution in original post

however, have you thought about it. if we make this design what will be the svi 200 IP address which will be act as default gateway of host in vlan 200. I don't think switch will allow two svi IP in same subnet

Now you are confusing me again :-)

You can't have more than one SVI ie it is ether vlan 100 or vlan 200 doesn't really matter which.

You couldn't have two SVIs because as you say the switch wouldn't let you but even if it did you don't want that because then traffic would not be forced via the ASA.

The default gateway for all clients in both vlan 100 and vlan 200 is the IP address on the SVI.

So if the SVI is for vlan 100 for any traffic from clients in vlan 100 to get to vlan 200 they have to go via the firewall.

And the same in reverse.

Jon

View solution in original post

37 Replies 37

Pranay Prasoon
Level 3
Level 3

there is no way ASA can bump in. You will rather need to direct your arp broadcast to ASA.

if switch connected to ASA has a layer 2 t then switch will forward broadcast out of all vlan it received it  on. example when 192.168.100.10 for 192.168.100.20, ASA will see one side of broadcast. However when 192.168.100.20 will broadcast arp it will again be heard on sub-interface with vlan 100 on ASA (switch will not forward arp on vlan 200, since all machines are on vlan 100).

 

 

Pranay

switch will not forward arp on vlan 200, since all machines are on vlan 100

just to clarify, if the diagram is wrong and the 10.x.100.20 client is in vlan 200 then it should work shouldn't it ? 

Jon

no it won't work. That's what I told him. ASA sub-interface with vlan 100 will see the arp but not sub-interface with vlan 200. 

Okay then how does a transparent firewall setup work then.

I thought it was exactly that ie two vlans using the same IP subnet and the firewall joined the vlans together.

Jon

first of all they is no u-trun on transparent firewall.. In this case ASA will see both MAC address behind same interface.

 

It is not clear from diagram if there are two switch or 1 switch. because he is talking about sub-interface.

 

However assuming two switches Assuming, three scenario is possible

a) there is only vlan 100 on two switches

switch1--------------------------ASA--------------------switch2

 

and ASA is connected to both switch via vlan 100 on two separate physical interface . Then it will work

 

b) there are two vlan 100 and vlan 200 on two swithes

 

switch1(vlan 100)----------------------ASA---------switch2 (vlan 200)

 

ASA connected to two switches on access vlan 100 and 200. And machines on vlan 100 and 200 are in same network. It will work.

 

c)    switch 1(vlan 100)---------------ASA------switch 2 (vlan 200)

 

if ASA is connected to switches on their L3 interface and being connected through switch 1 on sub-interface 100 and switch 2 on sub-interface 200. It will work.

Pranay

first of all they is no u-trun on transparent firewall.. In this case ASA will see both MAC address behind same interface.

Ahh, so are you saying you cannot use subinterfaces with transparent mode ie. you can only use physical interfaces ?

Jon

yes. You can only use it when two vlan have two different network.

Makes sense now because obviously you aren't configuring any IPs on those interfaces so I understand what you mean by the ASA sees both mac addresses behind the same interface.

Just never occurred to me before.

Many thanks for clarifying.

Jon

Transparent FW is just like a partial switch and assumes host in same vlan behind same interface should communicate without its  interference.

 

In switch it avoid loops.

 

Hope that helps

thanks for your responses guys, what i gather is the only way to make it work is to have physically separate switches then use ASA to bridge traffic

 

ASA is connected on same switch 

 

VLAN 100 is where clients are whereas VLan200 will be SVI just for IP routing. As with ASA transparent mode IN and OUT requires separate VLANs for same network hence sub-intfd port to VLAN 100 for IN traffic and sub-intfd VLAN 200 for OUT traffic to IP route.

What is puzzling me is when i initiate ICMP from the Switch SVI which is int vlan 200 [10.x.100.1] to Client connected on same switch 10.x.100.10 the traffic is going through Firewall IN and OUT interfaces. As i have not allowed the traffic i can see deny hits on the firewall. Whereas when an ICMP is initiated from Client 10.x.100.10 to client 10.x.100.20 it does not go through firewall which i assume is using L3 switches Arp and forwarding packets through but shouldnt it have same behaviour when Switch initiates ICMP to CLient??

 

I hope its not confusing 

Pranay may well know better but you don't need two switches as far as I know.

The issue seems to be you can't use subinterfaces.

So if you used two physical interfaces on the ASA you can use the same switch but you can't have SVIs for both vlans ie. you choose one of the vlans and have an SVI for that but not the other.

But you don't put all your clients into one of the vlans otherwise why use the firewall in transparent mode.

I was assuming you wanted to firewall between clients in the same IP subnet but it doesn't sound like that is the case ?

Jon

interesting...so you have kept 10.x.100.1 in svi 200. Now this is good for learning but a bad network design.

 

Now here is the deal.

scenario 1:-

When SVI pings any host in 10.x.10.0/24, it assumes all client machine connected in vlan 200. So it will forward mac arp in vlan 200. Once ASA receives it  with vlan tag 200. It switches arp mac header and sends it tagging with vlan 100. So when switch gets it in vlan 100 it forwards it back to all interface in vlan 100.Similar flow works from switch to SVI and ping is successful through ASA.

Scenario 2:-

Now when you ping from Client 10.x.100.10 to Client 10.x.100.20. switch receives it in vlan 100 and forward it to all interface vlan 100 along with vlan 100 tag to ASA. ASA now switches tag of ARP  from 100 to 200 and sends it to switch. Now switch receives it in vlan 200 and ARP dies. So ASA learns mac of only one end.

 

Other host will still get get arp broadcast because of same vlan on switch. Now when the other host arp, it reaches to client directly and both ARP goes on ASA but on same sub-interface 100.

 

Rest you can gather from my discussion with John.

Thanks guys for your input much appreciated. This is purely for testing couple of scenarios when you have collapsed architecture etc...

i

Pranay

Now I am really confused :-)

You first scenario in the above suggests the firewall can use subinterfaces in transparent mode to pass traffic ie. the ASA simply switches vlan tags and the ping works.

But you told me it couldn't in our earlier discussion ?

Jon

 

Review Cisco Networking for a $25 gift card