12-07-2015 06:12 AM - edited 03-05-2019 02:53 AM
Hi,
Is it possible for an ASA 55xx to support multiple subnets in transparent mode. Would this be on an interface or VLAN basis or does this matter?
I've been looking at this and need to take it to the next level really http://ciscoasafirewall.blogspot.co.uk/2011/06/cisco-asa-firewall-in-transparent.html
Thanks
Solved! Go to Solution.
12-09-2015 10:52 AM
Hello,
There are several ways you can place ASA in your network. If you look at my configuration, you will see the design logically like this:
Client------> ASA ----->layer3 switch core---->ASA---> internet router
As you see, ASA is logically is placed between Client and layer3 switch, But physically is placed in different way.
Please chek the picture in the link below.
http://blog.alwaysthenetwork.com/tutorials/asa-bridge-groups/
Now, if ASA does not do VLAN switching, client VLAN and l3 switch Vlan will be the same, so traffic does not pass ASA. VLAN pairing assures that traffic always passes ASA.
Also check the link below. It is for ASA module, but just to get the idea. Check the pictures for VLAN pairing.
http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/intro_switch.html
There is other way you can place ASA into network which is easier and physical interface can be used.
Client----->L3 switch------> ASA-------internet router.
Inter vlan routing is done by L3 switch and ASA does not control the traffic between clients and switch.
ASA controls traffic between layer3 switch and internet router. Gateway of layer3 switch is pointing to internet router and ASA is in between can inspect traffic transparenly. Serveral subnets can pass ASA and you do not have to create VLAN.
Configuration in ASA is like this
firewall transparent
interface Ethernet0/0
nameif outside
security-level 0 !
interface Ethernet0/1
nameif inside
security-level 100
And access-list is configured for all subnets passing ASA.
Please check the link below for configuration.
http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/97853-Transparent-firewall.html
Hope it helps,
Masoud
12-07-2015 07:09 AM
Hello,
It is possible. You need to make both interfaces trunk on ASA. For each sunnet you need to create two interface VLANs. One interface VLAN is for downstream traffic and other for upstream traffic.
interface Vlan10
nameif IT-IN
bridge-group 1
security-level 100
interface Vlan11
nameif IT-OUT
bridge-group 1
security-level 0
interface Vlan20
nameif Managers-IN
bridge-group 2
security-level 100
interface Vlan21
nameif Managers-OUT
bridge-group 2
security-level 0
As you see in the configuration above, there are two pairs of VLAN for each subnet. Your IT clients are located in VLAN 10. Traffic comes into ASA. ASA switches VLAN 10 to 11. So you need to create interface VLAN 11 in the upstream switch.
Down stream switch for example 2960
interface fa0/1
des IT
switch port access vlan 10
interface fa0/2
des managers
switch port access vlan 20
interface fa0/24
des Trunk to ASA
*******************
UP stream switch for example 3750
interface VLAN 11
des IT
ip address 192.168.10.1 255.255.255.0
interface VLAN 21
des manager
ip address 192.168.20.1 255.255.255.0
You are allowed to create 8 bridge-groups in each context. Each ASA can have several contexts.
If you have 8 vlan pairs or less, you config the default context. If you have more than 8 pairs, you need to create more contexts.
in my example, I have two switches. You can connect both asa interfaces to only one switch and do the same.
Check the link below. It is for one pair. You can create more pair.
http://blog.soundtraining.net/2013/02/configuring-cisco-asa-transparent-mode.html
Hope it helps,
Masoud
12-07-2015 09:34 AM
Thanks Masoud,
Is that a supported config or would one use some other kit to do it properly. I mean, would the supplier of the fixed line be able to supply some kit that could do this on a per interface basis.
James
12-07-2015 09:45 AM
You are welcome.
This config is supported in IOS 8.4 or higher. You do not need any extra kit. Just make sure your device license allows you to make more security zones. Very Base licences only allows you to have two zones.(inside, outside)
Just to mention. ASA works either in transparent mode or router mode. You can not have both at the same time.
Masoud
12-09-2015 01:07 AM
Thanks for you input again Masoud.
I'm just wondering why inbound traffic uses a different VLAN to outbound traffic. Would I be able to do this without VLANS and instead use physical interfaces?
Are there any Cisco documents about this as I cant find any.
Thanks again...
12-09-2015 10:52 AM
Hello,
There are several ways you can place ASA in your network. If you look at my configuration, you will see the design logically like this:
Client------> ASA ----->layer3 switch core---->ASA---> internet router
As you see, ASA is logically is placed between Client and layer3 switch, But physically is placed in different way.
Please chek the picture in the link below.
http://blog.alwaysthenetwork.com/tutorials/asa-bridge-groups/
Now, if ASA does not do VLAN switching, client VLAN and l3 switch Vlan will be the same, so traffic does not pass ASA. VLAN pairing assures that traffic always passes ASA.
Also check the link below. It is for ASA module, but just to get the idea. Check the pictures for VLAN pairing.
http://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/intro_switch.html
There is other way you can place ASA into network which is easier and physical interface can be used.
Client----->L3 switch------> ASA-------internet router.
Inter vlan routing is done by L3 switch and ASA does not control the traffic between clients and switch.
ASA controls traffic between layer3 switch and internet router. Gateway of layer3 switch is pointing to internet router and ASA is in between can inspect traffic transparenly. Serveral subnets can pass ASA and you do not have to create VLAN.
Configuration in ASA is like this
firewall transparent
interface Ethernet0/0
nameif outside
security-level 0 !
interface Ethernet0/1
nameif inside
security-level 100
And access-list is configured for all subnets passing ASA.
Please check the link below for configuration.
http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/97853-Transparent-firewall.html
Hope it helps,
Masoud
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide