Showing results for 
Search instead for 
Did you mean: 

Transparent (or routed) Firewall Network Design Recommendations

Level 1
Level 1

I am looking for some suggestions please.  Attached is a basic design for a network with a Router, Transparent Firewall and Layer 2 switch.  The mandate is the push some traffic through the Firewall which is limited to 250Mbps throughput and other traffic we trust to bypass this path and go direct to the router/internet at 1Gpbs (Backups for example).  The desire of using a Transparent firewall is purely for simplicity as the 4321 Router is running ZBF and doing NAT to the internet so we really only need the ASA doing IPS on the traffic and don't want to use NAT, Routing or ACL's on it if we don't have too.  I'd reluctantly be ok with using the ASA in routed mode if recommendations suggest this is the best option.


The problem I'm having is how to force the relevant traffic via the transparent ASA path since we have a layer 2 switch and cannot have 2 same subnet IP's on the 4321 on separate interfaces - even if we could there would be an issue of async routing as we want traffic going out to take the same path back and visa versa.  I looked at VRF's but that adds extra complexity that I'm trying to avoid but I'm open to input there as I'm not fully up to speed with my knowledge of VRF.

Now... Obviously I could place the ASA in routed mode and use PBR on the 4321 to send traffic where it needs to go and if that's the best option, so be it.  But I would like to avoid anything I don't need on the ASA such as NAT.  Without NAT on the ASA in routed mode I think I would still have the issue of async routing though even if the outside interface was a different subnet .e.g  inside=, outside= and have an interface on the 4321 with sending this to the internet.  If I understand correctly the return traffic would have the the destination in the subnet and bypass the ASA coming back in?

I'd appreciate some input from experts on how they would implement this.


Edit:  In case anyone wonders why I don't use the IPS container on the 4000 series router.  We have a boost license which prevents this.


1 Reply 1

You could possibly apply a L2 port mac access-lists on the L2 switch on the two uplinks between the fw and the rtr to deny certain traffic being switched via either of the two uplinks.

mac access-list extended pacl
deny host any
permit any any

mac access-list extended pacl
permit host any

in x/x
mac access-group pacl in 

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Review Cisco Networking for a $25 gift card