It uses bridging protocols to join two or more interfaces in one bridge group
Within bridge group, segments can communicate
You need to have BVI interface for each bridge group with an IP of the same subnet
If BVI isn't configured the following syslog is generated '%ASA-6-322004: No management IP address configured for transparent firewall. Dropping protocol ICMP packet from IN:10.150.1.1/2048 to OUT:10.150.1.2/0'
Communication between bridge groups is isolated within transparent firewall
Dot1Q tagged traffic won't pass-through as you can't configure same VLAN on two interfaces in ASA
It performs same functionalities as Routed FW related to access policies, inspection, etc
Same checks are applied between interfaces in bridge group
NameIf and Security-Levels should be assigned to interfaces within a group
ip address 10.150.1.100 255.255.255.0
Default Access rules:
Unicast IPv4/IPv6 is allowed from high-sec to low-sec interfaces
Low-sec to high-sec traffic is blocked and require access policy
ARPs are allowed
Broadcast and Multicast require access rules for both directions
An example is allow routing protocols through TP FW
access-list routing extended permit eigrp any any
access-list routing extended permit udp any any eq rip
access-list routing extended permit ospf any any
access-group routing global
Non-IP Traffic (EtherType 0x800) is blocked by default
MPLS, CDP, etc (an exception made for BPDUs and IS-IS)
CDP EtherType is 0x2000
MPLS EtherType is 0x8847
EtherType ACLs can't be global
access-list EtherType-ACL ethertype permit 2000
access-list EtherType-ACL ethertype permit mpls-unicast
access-group EtherType-ACL in interface in
access-group EtherType-ACL in interface out
Mac Address vs. Route Lookups
Within bridge group exit interface is identified using MAC Address Lookups
For traffic initiated by TP FW traffic will use local routing table
For traffic inspected by TP FW such as TFTP, SIP, etc traffic will use local routing table
For traffic natted by TP FW + Destination isn't directly connected:
Static route is required on upstream router pointing to BVI IP of TPFW - Destination is the natted IP
Static route is required on TP FW pointing to next-hop which is R1 - Destination is un-natted IP
Hi we will try to implement ssl decryption on the Ironport and I was thinking if there is a way to block file typessuch as exe,pdf...) when Ironport decrypts SSL cert . I know how to do this for http traffic but was not sure how to configure it ...
Hi All, Quick design question. I have a WLAN that right now I send our AAA request to ISE. (ISE version 2.4) and I have two ISE nodes a Primary and a secondary. Would it be good practice to add my secondary node to the second server list on the WLAN....
Hello guys, I have a ipsec tunnel with a juniper device on the other end. we have to internal subnets : 192.168.25.0 and 192.168.135.0 The tunnel is only coming up with the first subnet and i can ping the other side 172.20...
Hello, I attempted to migrate anyconnect from ASA to FTD. We currently authenticate users using certificates only. The certs are issue to domain machine via our internal PKI. I exported the pkcs for the public cert and enrolled in FMC and that worke...
Hi Everyone. I've been trying to setup a simple network which has 1 firewall, 1 switch and 2 PCs. Please see the attachment for the topology. My goal is that I want my PCs can ping 18.104.22.168 of the 'internet' switch (from my attachment). But...