cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3130
Views
5
Helpful
37
Replies

Transparent Mode

amar_5664
Level 1
Level 1

Rather unconventional design that i am trying to test with transparent mode firewall.... attached diagram

 

Clients [VLAN 100] connected on L3 Switch with SVI as default gateway

Firewall using one physical port which is sub-interfaced with INSIDE-100 and OUTSIDE-200 interfaces

What's working

- ICMP when initiated from L3 Switch SVI to Client VLAN 100 works fine as i can see traffic through firewall

 

What's not working

- Packet inspection when ICMP initiated from Client 10.x.100.10 to Client 10.x.100.20 does not go through firewall 

 

As L3 Switch is holding arp and mac, client to client will work. This is where i would like transparent firewall to be the bump and have all client to client traffic go through the firewall. Note the default gateway for the clients is on the L3 switch which cannot be changed. 

 

Will appreciate your comments. I will rather not want to go the routed mode path and test to see if any solution with transparent mode works.

 

 

37 Replies 37

that is exactly where i am challenging myself as well Jon... with 65xx FWSM module this would just work ... whereas with having separate ASA in transparent mode one would expect it to behave same

but again totally separate backplane/control/data planes with ASA on the wire whereas FWSM might be using its internal forwarding paths...

The doubt I had was whether using subinterfaces would work or not and Pranay has confirmed it should work using them.

So it shouldn't be any different in terms of design.

I'm not aware of anything extra that the FWSM does to make this sort of setup work.

I'm still not clear though whether you have actually tried the setup as discussed.

Assuming you do want to firewall between clients in the same vlan and assuming the original setup was as per the diagram can you try with the suggested way of setting it up and let us know what the outcome is ?

Edit - just read your last but one post and it sounds like using transparent isn't applicable so please ignore the part above about testing.

Jon

sorry for confusion. I was thinking on wrong lines here about two SVI. This setup is exactly like FWSM, In my picture the link from switch to ASA is how FWSM is connected with 6500 backplane.

Jon/Pranay

appreciate your responses, i understand that and agree with you. Its been a great exercise  challenging brain with few topology options

so the bottomline is we can have subint/vlan/bvi transparent fw connected on same switch but the clients are required to be in different VLANS if need access control for same subnet

i guess if you cant change the VLANs for same subnet VACLs might be the only option for intravlan/subnet control ?

As switch cannot have SVIs on same subnet, need to break the clients in seperate Vlans and again that opens up can of worms if intra client traffic needs to be controlled/inspected which is on same switch through transparent firewall...does this mean if you have 20 clients on switch same subnet and want traffic to be controlled through transparent firewall every client access port needs to be in its own vlan? 

it does not make sense to have clients of same subnet on many many separate access vlans if transparent firewall is the option... in that case routed firewall can be the only option where organizations use firewall as default gateway and not SVIs on switch for intra/inter vlan controls and inspection

I guess will have to live with routed mode ... thanks for your input guys...

 

Amar

if intra client traffic needs to be controlled/inspected which is on same switch through transparent firewall...does this mean if you have 20 clients on switch same subnet and want traffic to be controlled through transparent firewall every client access port needs to be in its own vlan? 

If you needed to firewall every client from every other client then yes you would need each client in it's own vlan which is impractical as you say.

As you know using transparent mode is really useful if you have one vlan and one IP subnet but you then have a requirement to firewall beween two sets of devices within that vlan and you do not want to readdress any of the devices.

So you would then create a new vlan and assign the devices you wanted to protect into that vlan. That vlan would have no SVI on the switch ie. they would keep the same IP addresses and the same default gateway.

But routed mode doesn't solve the problem either because if the clients are in the same vlan they never go to the firewall ie. they do not need to use a L3 device to send traffic to each other so there is no intra vlan filtering here.

You would need either an acl within the vlan to control the traffic, as you mentioned, or if the clients didn't actually need to talk to each other you could use private vlans with isolated ports.

It really comes down to what you are trying to achieve ie. most clients don't talk to each other anyway unless it is servers you are referring to.

Jon

Just to answer the part about the design.

I'm not clear on why you can't use physical interfaces on the ASA and you are using subinterfaces instead.

But If Pranay confirms that subinterfaces would work then I'm not sure what the point would be of purchasing extra hardware to be honest.

But it depends on whether it works or not.

Jon

Amar

Sorry for all the confusing posts.

From all the discussions I think me and Pranay were assuming different things hence all the confusion :-)

I think it should work but you need to make sure that -

1) you have just one SVI for either vlan 100 or vlan 200, your choice

2) assuming you pick vlan 100 then any clients in that vlan are not firewalled from anything else with SVIs on the switch.

3) the clients in vlan 200 will be firewalled from the clients in vlan 100 and also firewalled from any other clients coming into that switch

All clients in both vlans use the IP address of the vlan 100 SVI as their default gateway.

I am almost completely confused myself now :-) but it comes back to the original question I asked about there being a typo in the diagram ie. using your diagram if the SVI on the switch is for vlan 100 then 10.x.100.10 would be in vlan 100 and 10.x.100.20 has to be allocated into vlan 200.

Is this what you have already tried ?

Jon

Jon Marshall
Hall of Fame
Hall of Fame

Is there a typo in your diagram ie. shouldn't the 10.x.100.20 client be in vlan 200 ?

If it isn't a typo I don't even see how a ping from the switch can be going through the firewall.

If it is a typo then the only path for the 10.x.100.10 client to get to 10.x.100.20 in vlan 200 is via the firewall.

The default gateway for both clients can be the same on the switch but for the vlan 200 client the only way to get to that default gateway is via the firewall because otherwise going direct to the switch puts them in the wrong vlan.

It is the firewall that in effect puts the client onto vlan 100.

Jon

Review Cisco Networking for a $25 gift card