05-15-2015 04:20 AM - edited 03-08-2019 12:01 AM
Hi,
I am designing a small data center with ASA5512-IPS firewall.
The configuration is like: ISP--->2921 Router--->5512 Firewall--->4503 Core--->2960 Access
I am confused about connecting firewall in routed or transparent mode. Will transparent mode work in the current scenario, if yes can anybody please help me in the configuration.
Thanks!
05-15-2015 04:56 AM
It's very likely that you could use the ASA in transparent mode in your scenario. But do you have to? Transparent mode has some restrictions (documented in the config-guide) that you don't have in routed mode. Personally I would only use transparent mode if routed mode is not possible.
05-15-2015 05:00 AM
Thanks for your reply.
I just need to bypass the traffic through the firewall, like the firewall will be working in ip any any mode. I am really not sure which mode to adopt. Making it simple, i just need to deploy a firewall in the network without using its features as for now. If its configured in routed mode can i just use static routes for the incoming and outgoing traffic. It would be really nice of you if can share a simple configuration of a firewall with the outside interface connecting to a router and inside interface to a core switch.
05-15-2015 05:10 AM
So you want an inline IPS-device and not a firewall? Then Transparent-mode is for you!
The configuration is basically:
05-15-2015 05:14 AM
Karsten
I just agreed with you and now you've changed your mind :-)
Jon
05-15-2015 05:31 AM
Sorry for that Jon ... ;-)
But it seems that here it's one of the "I just need an IPS, but Cisco doesn't sell any lower-cost standalone appliances any more" scenarios.
05-15-2015 05:34 AM
No problem, it was said in jest :-)
It's difficult to know what to say on this one because it's not clear what the final design is meant to achieve.
Have you seen many deployments of transparent firewalls as the internet edge device ?
Jon
05-15-2015 05:38 AM
The design is meant to achieve the wireless network in a campus. Currently we are using just layer 2 devices, and very few APs. Now we have to cover the whole campus with the wireless connectivity, and a server farm to be deployed in the data center. I don't want to go deep into the security, just keeping it simple to ease the migration from old to new deployment.
05-15-2015 05:48 AM
I try to avoid transparent firewalls where I can ... ;-)
Once I had to use it where the router was out of our control and the server that was directly connected to the router needed a firewall but the system admin was too fearful to change the IP on the server. That's IMO one of the rare situations where transparent mode makes sense. Or if you just want an IPS-device ... ;-) But in case of the pure IPS-device, typically there still is a firewall in front of that if we are talking about internet-facing systems.
So it's more in this situation where both the router and the c4k core don't need any changes in addressing to introduce the IPS.
05-15-2015 05:34 AM
05-15-2015 05:13 AM
I agree with Karsten, using routed mode makes more sense with your layout but it does depend on your public IP addressing ie. do you have a public IP subnet for the connection between the 2921 and your ASA ?
If so routed mode is the way to go. Transparent is a lot less commonly used especially as an edge device. It does have it's uses but it does impose restrictions as Karsten said.
If you just want it to pass all traffic you really just need to setup interfaces and add routes and that should get you going.
If you want internet access to servers hosted by you it is a bit more complicated.
Use the guides to get started -
Jon
05-15-2015 05:22 AM
Jon,
I have a public IP pool assigned by my ISP, some of my endpoints are configured with public IP. So do you think transparent mode will not work? Actually i am more interested in simple firewall configuration rather than its mode of operation, which just bypass my traffic, as i am not a security guy. :)
05-15-2015 05:32 AM
The problem is that the mode you run it in is entirely dependant on the design and what you want to achieve so even if you are not a security guy you need to decide now or else the design may not work as you want.
Transparent mode would probably work it's just from my experience most edge firewalls are run in routed mode.
If you have end devices using public IPs from the same subnet as the routers internal interface IP address then transparent mode could work for you but most people would place those servers on a separate interface of the firewall in routed mode.
If you did this you would either need to break up your subnet or more likely use private addressing and then use NAT on the firewall to present them to the internet.
It's difficult to say which you should go for without knowing more about what you are trying to achieve.
Either way you can simply allow all IP through but it is entirely dependant on your public IP addressing and how you want to use that.
Jon
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide