Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2662
Views
0
Helpful
6
Replies

ASA Transparent mode and same vlan

AK59
Level 1
Level 1

‎10-13-2020 08:42 AM

Helle everyone,

 

I'm actually having trouble with the implementation of a firewall in Transparent mode. 

 

I have the configuration below , a router is connected to another one within a /24 subnet. 

I need to implement a firewall without changing anything on the layer 3 configuration ( interfaces or routing)

 

 

Here is the situation 

Vlan 6 - 10.1.1.0/24

 

Router1 ( int vlan 6 - 10.1.1.1) <=====> Router2 ( int e0/0 - 10.1.1.2)

 

I see that if I want to implement a firewall in transparent mode, I need to create 2 vlan  for the same bridge-group. 

But, as I'm using vlan 6 as between Router1 and 2. 

What vlan should I use ? Will it be something like that the scheme below 

 

Router1 ( int vlan6 - 10.1.1.1) <===> (vlan 6 ) ASA (vlan ?) <===> Router2 (int e0/0 10.1.1.2)  

0 Helpful
6 Replies 6

Mohammed al Baqari
Level 11
Level 11

‎10-13-2020 09:29 AM

It's pretty straightforward, just use VLAN 7 or any other number. Think
about it as access port, i.e. the vlan tag is not carried.

**** please remember to rate useful posts
0 Helpful

AK59
Level 1
Level 1

‎10-13-2020 10:21 AM

Ok 

But, for example, if the router2 uses its "int vlan 6" interface, it would mean that i wall have traffic going from " int vlan 7 " in the ASA  going to "int vlan 6" on router 2. 

 

Both interfaces set in access mode, I will have untagged traffic so it will work, right ? 

 

If so, it means that just the naming would be incoherent right 

0 Helpful

Mohammed al Baqari
Level 11
Level 11
In response to AK59

‎10-13-2020 10:47 AM

They don't need to be in same VLAN as its access. So if ASA in vlan 7 and
your router in vlan 6, it will still work as you aren't adding dot1q header
to the packets.

**** please remember to rate useful posts
0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame
In response to AK59

‎10-13-2020 12:59 PM

ASA Bridged the VLAN, just deploy as suggest and test it.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

MHM Cisco World
VIP
VIP

‎10-13-2020 01:01 PM

ASA have two interface or Sub interface.
one connect to R1 and other connect to R2.
so ASA will receive the frame from R1 with VLAN ID =6 make the checking and then change the VLAN-ID to VLAN 7 and resend to R2.
there is no problem. 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card