Solved: Transparent Firewall with multiple subnets

james bennett · ‎12-07-2015

Hi,

Is it possible for an ASA 55xx to support multiple subnets in transparent mode. Would this be on an interface or VLAN basis or does this matter?

I've been looking at this and need to take it to the next level really http://ciscoasafirewall.blogspot.co.uk/2011/06/cisco-asa-firewall-in-transparent.html

Thanks

Masoud Pourshabanian · ‎12-09-2015

Hello,

There are several ways you can place ASA in your network. If you look at my configuration, you will see the design logically like this:

Client------> ASA ----->layer3 switch core---->ASA---> internet router

As you see, ASA is logically is placed between Client and layer3 switch, But physically is placed in different way.

Please chek the picture in the link below.

http://blog.alwaysthenetwork.com/tutorials/asa-bridge-groups/

Now, if ASA does not do VLAN switching, client VLAN and l3 switch Vlan will be the same, so traffic does not pass ASA. VLAN pairing assures that traffic always passes ASA.

Also check the link below. It is for ASA module, but just to get the idea. Check the pictures for VLAN pairing.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/intro_switch.html

There is other way you can place ASA into network which is easier and physical interface can be used.

Client----->L3 switch------> ASA-------internet router.

Inter vlan routing is done by L3 switch and ASA does not control the traffic between clients and switch.

ASA controls traffic between layer3 switch and internet router. Gateway of layer3 switch is pointing to internet router and ASA is in between can inspect traffic transparenly. Serveral subnets can pass ASA and you do not have to create VLAN.

Configuration in ASA is like this

firewall transparent

interface Ethernet0/0

nameif outside

security-level 0 !

interface Ethernet0/1

nameif inside

security-level 100

And access-list is configured for all subnets passing ASA.

Please check the link below for configuration.

http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/97853-Transparent-firewall.html

Hope it helps,

Masoud

View solution in original post

Masoud Pourshabanian · ‎12-07-2015

Hello,

It is possible. You need to make both interfaces trunk on ASA. For each sunnet you need to create two interface VLANs. One interface VLAN is for downstream traffic and other for upstream traffic.

interface Vlan10
nameif IT-IN
bridge-group 1
security-level 100

interface Vlan11
nameif IT-OUT
bridge-group 1
security-level 0

interface Vlan20
nameif Managers-IN
bridge-group 2
security-level 100

interface Vlan21
nameif Managers-OUT
bridge-group 2
security-level 0

As you see in the configuration above, there are two pairs of VLAN for each subnet. Your IT clients are located in VLAN 10. Traffic comes into ASA. ASA switches VLAN 10 to 11. So you need to create interface VLAN 11 in the upstream switch.

Down stream switch for example 2960

interface fa0/1

des IT

switch port access vlan 10

interface fa0/2

des managers

switch port access vlan 20

interface fa0/24

des Trunk to ASA

*******************

UP stream switch for example 3750

interface VLAN 11

des IT

ip address 192.168.10.1 255.255.255.0

interface VLAN 21

des manager

ip address 192.168.20.1 255.255.255.0

You are allowed to create 8 bridge-groups in each context. Each ASA can have several contexts.

If you have 8 vlan pairs or less, you config the default context. If you have more than 8 pairs, you need to create more contexts.

in my example, I have two switches. You can connect both asa interfaces to only one switch and do the same.

Check the link below. It is for one pair. You can create more pair.

http://blog.soundtraining.net/2013/02/configuring-cisco-asa-transparent-mode.html

Hope it helps,

Masoud

james bennett · ‎12-07-2015

Thanks Masoud,

Is that a supported config or would one use some other kit to do it properly. I mean, would the supplier of the fixed line be able to supply some kit that could do this on a per interface basis.

James

Masoud Pourshabanian · ‎12-07-2015

You are welcome.

This config is supported in IOS 8.4 or higher. You do not need any extra kit. Just make sure your device license allows you to make more security zones. Very Base licences only allows you to have two zones.(inside, outside)

Just to mention. ASA works either in transparent mode or router mode. You can not have both at the same time.

Masoud

james bennett · ‎12-09-2015

Thanks for you input again Masoud.

I'm just wondering why inbound traffic uses a different VLAN to outbound traffic. Would I be able to do this without VLANS and instead use physical interfaces?

Are there any Cisco documents about this as I cant find any.

Thanks again...

Masoud Pourshabanian · ‎12-09-2015

Hello,

There are several ways you can place ASA in your network. If you look at my configuration, you will see the design logically like this:

Client------> ASA ----->layer3 switch core---->ASA---> internet router

As you see, ASA is logically is placed between Client and layer3 switch, But physically is placed in different way.

Please chek the picture in the link below.

http://blog.alwaysthenetwork.com/tutorials/asa-bridge-groups/

Now, if ASA does not do VLAN switching, client VLAN and l3 switch Vlan will be the same, so traffic does not pass ASA. VLAN pairing assures that traffic always passes ASA.

Also check the link below. It is for ASA module, but just to get the idea. Check the pictures for VLAN pairing.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/intro_switch.html

There is other way you can place ASA into network which is easier and physical interface can be used.

Client----->L3 switch------> ASA-------internet router.

Inter vlan routing is done by L3 switch and ASA does not control the traffic between clients and switch.

ASA controls traffic between layer3 switch and internet router. Gateway of layer3 switch is pointing to internet router and ASA is in between can inspect traffic transparenly. Serveral subnets can pass ASA and you do not have to create VLAN.

Configuration in ASA is like this

firewall transparent

interface Ethernet0/0

nameif outside

security-level 0 !

interface Ethernet0/1

nameif inside

security-level 100

And access-list is configured for all subnets passing ASA.

Please check the link below for configuration.

http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/97853-Transparent-firewall.html

Hope it helps,

Masoud