It uses bridging protocols to join two or more interfaces in one bridge group
Within bridge group, segments can communicate
You need to have BVI interface for each bridge group with an IP of the same subnet
If BVI isn't configured the following syslog is generated '%ASA-6-322004: No management IP address configured for transparent firewall. Dropping protocol ICMP packet from IN:10.150.1.1/2048 to OUT:10.150.1.2/0'
Communication between bridge groups is isolated within transparent firewall
Dot1Q tagged traffic won't pass-through as you can't configure same VLAN on two interfaces in ASA
It performs same functionalities as Routed FW related to access policies, inspection, etc
Same checks are applied between interfaces in bridge group
NameIf and Security-Levels should be assigned to interfaces within a group
ip address 10.150.1.100 255.255.255.0
Default Access rules:
Unicast IPv4/IPv6 is allowed from high-sec to low-sec interfaces
Low-sec to high-sec traffic is blocked and require access policy
ARPs are allowed
Broadcast and Multicast require access rules for both directions
An example is allow routing protocols through TP FW
access-list routing extended permit eigrp any any
access-list routing extended permit udp any any eq rip
access-list routing extended permit ospf any any
access-group routing global
Non-IP Traffic (EtherType 0x800) is blocked by default
MPLS, CDP, etc (an exception made for BPDUs and IS-IS)
CDP EtherType is 0x2000
MPLS EtherType is 0x8847
EtherType ACLs can't be global
access-list EtherType-ACL ethertype permit 2000
access-list EtherType-ACL ethertype permit mpls-unicast
access-group EtherType-ACL in interface in
access-group EtherType-ACL in interface out
Mac Address vs. Route Lookups
Within bridge group exit interface is identified using MAC Address Lookups
For traffic initiated by TP FW traffic will use local routing table
For traffic inspected by TP FW such as TFTP, SIP, etc traffic will use local routing table
For traffic natted by TP FW + Destination isn't directly connected:
Static route is required on upstream router pointing to BVI IP of TPFW - Destination is the natted IP
Static route is required on TP FW pointing to next-hop which is R1 - Destination is un-natted IP
Client has requested to bring high availability between two WSA's located one in DC and one in DR. DC and DR are having complete different IP Ranges.
Mgmt IP: 10.1.250.96
Data1 IP: 10.1.221.58
I am beginner and i would like to ask stupid questions.
i would like to know Tunnel IP address can i assign /32 for VTI ,DMVPN,IPSec ?
In the lab i can assign. i would like to know what is the best practice ?
Hi, with the new version of ISE 2.4, I would like to ask the community if you have any docs for TrustSec Pre-Requisite / Checklist. I would like know how would Trustsec fit in in a network with No ASA, i have only Palo as my FW. would I be able...
Looking to move from LWA to CWA for wireless guest access.
Have a separate DNS appliance with a subdomain it’s authoritative for: guest.example.com
On the certificate side, we have a CN=ise.example.com and SAN=ise.example.com and *.example.com used curren...