Solved: Using a Transparent Firewall

WILLIAM STEGMAN · ‎05-08-2012

How does a transparent firewall intercept traffic in order to inspect and filter it? I'm not clear on the physical makeup of the design. If I have a vlan with some hosts I want to protect and connect the inside and outside interfaces of an ASA to the same VLAN, how does the ASA get in between those hosts I want to protect, other hosts on the same VLAN, and their default gateway in the same VLAN? From a cabling perspective I would only be connecting cables of the ASA and the hosts to a switch port that is in a common VLAN. Why would a host go through the firewall? Since it's all layer 2, wouldn't it have to be ARP? I've looked at the ARP scenarios in documentation, but none of it appears to state the firewall proxys ARP in some fashion.

thank you

Bill

Maykol Rojas · ‎05-08-2012

Hello Bill,

That is exactly where it goes wrong, you dont have to connect everything on the same vlan, it would be two different logical vlans carrying Layer 2 traffic but with the same IP scheme. For example, consider the following scenario:

Vlan100

192.168.100.0

Inside network---------------Switch----------------Router--------Internet

Now, the main Idea of the ASA firewall is to be inserted on this scenario without having to change the IP scheme, so here is what you do

Vlan100 Vlan101

192.168.100.0 192.168.100.1

Inside network---------------ASA_Firewall------------------Router------Internet

What the ASA is going to do is to bridge packets between the inside network and the router, how? It creates its own mac address table just like a switch and forwards the packets on a layer 2 basis, he knows that the mac-address of the router is located on the outside and the mac address of the inside host is on the inside, so when a requests is going to the mac-address of the router it picks up the packet and it bridges it to the router.

Hope it helps.

Mike

View solution in original post

Maykol Rojas · ‎05-08-2012

Hello Bill,

That is exactly where it goes wrong, you dont have to connect everything on the same vlan, it would be two different logical vlans carrying Layer 2 traffic but with the same IP scheme. For example, consider the following scenario:

Vlan100

192.168.100.0

Inside network---------------Switch----------------Router--------Internet

Now, the main Idea of the ASA firewall is to be inserted on this scenario without having to change the IP scheme, so here is what you do

Vlan100 Vlan101

192.168.100.0 192.168.100.1

Inside network---------------ASA_Firewall------------------Router------Internet

What the ASA is going to do is to bridge packets between the inside network and the router, how? It creates its own mac address table just like a switch and forwards the packets on a layer 2 basis, he knows that the mac-address of the router is located on the outside and the mac address of the inside host is on the inside, so when a requests is going to the mac-address of the router it picks up the packet and it bridges it to the router.

Hope it helps.

Mike

WILLIAM STEGMAN · ‎05-08-2012

ahh, that makes sense. Thank you very much.

Mery · ‎02-21-2014

Hello All,

That is a very good explanation , BUT if i use the same vlan for inside and outside interface of a transparent firewall will it work. so the physical diagram is as below:

vlan100 vlan100

servers-------------------Inside-Interface-FIREWALL-Outside-Interface------------------------Router

The firewall will bridge the two interfaces on the same vlan, so basically it will lear the mac address of both side, or it won't?

Mery