ASA5510 transparent mode...

chris2222 · ‎05-06-2007

Hi, I'm not familiar with cisco equipment and I cant find what I'm looking for in the documentation or on the web. Essentially, I want to use an ASA5510 in transparent mode for a bunch of web servers.

My firewall experience up to now has been to protect a local network where the lan and wan are of course seperate. In my situation here, there isnt a local network and i want the firewall to transparently protect the servers without needing to set up some kind of complicated DMZ type arrangement.

My setup is simple - I have a single IP feed, an ASA5510 and a Catalyst 3550 switch and 16 servers. I want the servers to keep their public IP's.

I've read the getting started guide for the firewall and I cant see any scenario that comes close to my configuration so I dont know where to start.

Could someone possibly nudge me in the right direction ?

Anand Narayana · ‎05-06-2007

Hi Chris,

juz go thru this link which will make you more clear.

http://cisco.com/en/US/products/ps6120/products_getting_started_guide_chapter09186a00806a8360.html

hope this helps.

rate this post if satisfied.

chris2222 · ‎05-06-2007

Hi,

No I'm afraid that doesnt help.

Normally, without the firewall I'd just plug in the switch and run through the basic configuration. There are no local IP addresses - just public ones.

I need to know how to setup the firewall transparently between the IP feed and the switch to protect the web servers. I dont think a DMZ configuration is what I'm lookng for.

Anand Narayana · ‎05-06-2007

Hi Chris,

static NAT, is that your are looking in for?

chris2222 · ‎05-06-2007

I dont think so - static nat will translate a private IP into a public one. My servers dont have any private IP's as such they are all just on the internet, not on any LAN.

I suppose a DMZ kind of situation is what I need but I'm having trouble understanding why I would want to have a local interface and a public interface - why cant the firewall just transparently filter the traffic destined for the servers atached to the switch ?

Anand Narayana · ‎05-06-2007

Hi Chris,

even for DMZ, actually it functions like a static NAT, for your servers, it will be having a Private IP & on the Firewall you be routing all the incoming request from the outside interface to you local LAN ip interface, when routing this, you can define what ports has to be opened for the server residing in LAN. Thus by making this your server is safe when residing behind the firewall.

the connection would be as follows

Internet Client access your server by the following

Internet Client ----->Internet Router---->ASA----->Server(residing in LAN)

when the internet client touches your ASA, based on the policies assigned in ASA by you, it will take care what ports has to be permitted for the server etc...

i hope you understood.

rate this post if satisfied.

chris2222 · ‎05-06-2007

I'm sorry I dont understand.

My servers are configured with public IP addresses and services running from them must use those IP's. I dont want to set up each server in a LAN environment with private IP's as this would not work.

You are suggesting that I configure the servers as a local network then use the firewall to translate those local IP's into public ones. This is not what I want to do.

The connection in the data center to my rack comes form an internet router - its purely an internet feed. As mentioned before - there is no LAN.

I need it to be like this...

Internet client---->ASA(transparent)---->Switch---->Servers