Thanks for your reply.

I just need to bypass the traffic through the firewall, like the firewall will be working in ip any any mode. I am really not sure which mode to adopt. Making it simple, i just need to deploy a firewall in the network without using its features as for now. If its configured in routed mode can i just use static routes for the incoming and outgoing traffic. It would be really nice of you if can share a simple configuration of a firewall with the outside interface connecting to a router and inside interface to a core switch.

So you want an inline IPS-device and not a firewall? Then Transparent-mode is for you!

The configuration is basically:

1. Configure the ASA for transparent mode
2. Send all traffic to the module

Karsten

I just agreed with you and now you've changed your mind :-)

Jon

Sorry for that Jon ... ;-)

But it seems that here it's one of the "I just need an IPS, but Cisco doesn't sell any lower-cost standalone appliances any more" scenarios.

No problem, it was said in jest :-)

It's difficult to know what to say on this one because it's not clear what the final design is meant to achieve.

Have you seen many deployments of transparent firewalls as the internet edge device ?

Jon

The design is meant to achieve the wireless network in a campus. Currently we are using just layer 2 devices, and very few APs. Now we have to cover the whole campus with the wireless connectivity, and a server farm to be deployed in the data center. I don't want to go deep into the security, just keeping it simple to ease the migration from old to new deployment.

I try to avoid transparent firewalls where I can ... ;-)

Once I had to use it where the router was out of our control and the server that was directly connected to the router needed a firewall but the system admin was too fearful to change the IP on the server. That's IMO one of the rare situations where transparent mode makes sense. Or if you just want an IPS-device ... ;-) But in case of the pure IPS-device, typically there still is a firewall in front of that if we are talking about internet-facing systems.

So it's more in this situation where both the router and the c4k core don't need any changes in addressing to introduce the IPS.

I have devolved the topology in packet tracer. The firewall is in routed mode, but i am unable to ping my router behind the firewall from the core switch. Can you please help me in this.

File attached.
 

I agree with Karsten, using routed mode makes more sense with your layout but it does depend on your public IP addressing ie. do you have a public IP subnet for the connection between the 2921 and your ASA ?

If so routed mode is the way to go. Transparent is a lot less commonly used especially as an edge device. It does have it's uses but it does impose restrictions as Karsten said.

If you just want it to pass all traffic you really just need to setup interfaces and add routes and that should get you going.

If you want internet access to servers hosted by you it is a bit more complicated.

Use the  guides to get started -

http://www.cisco.com/c/en/us/support/security/asa-5500-series-next-generation-firewalls/products-installation-and-configuration-guides-list.html

Jon

Jon,

I have a public IP pool assigned by my ISP, some of my endpoints are configured with public IP. So do you think transparent mode will not work? Actually i am more interested in simple firewall configuration rather than its mode of operation, which just bypass my traffic, as i am not a security guy. :)

The problem is that the mode you run it in is entirely dependant on the design and what you want to achieve so even if you are not a security guy you need to decide now or else the design may not work as you want.

Transparent mode would probably work it's just from my experience most edge firewalls are run in routed mode.

If you have end devices using public IPs from the same subnet as the routers internal interface IP address then transparent mode could work for you but most people would place those servers on a separate interface of the firewall in routed mode.

If you did this you would either need to break up your subnet or more likely use private addressing and then use NAT on the firewall to present them to the internet.

It's difficult to say which you should go for without knowing more about what you are trying to achieve.

Either way you can simply allow all IP through but it is entirely dependant on your public IP addressing and how you want to use that.

Jon