ASA 5510 with AIP-SSM

Unanswered Question
Jan 16th, 2008

Ideally I would like to place an ASA 5510 in line between three devices on the same subnet and have the traffic between them inspected.

For example the network 10.10.10.x

Eth0/0 would have input coming from

Eth0/1 would have input coming from

Eth 0/2 would have input coming from

Leaving the management port with

Currently I have the ASA setup as a Transparent Firewall based on the following example: From this it only looks like two connections on the same subnet are allowed, but I am new to this so I am not quite sure.

With the Transparent Firewall configuration I am also experiencing difficulty accessing the ASDM application.

Any help would be greatly appreciated.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
andrew.burns Thu, 01/17/2008 - 02:43


You're right in your assumption - in transparent mode only two connections are possible.

Regarding the ASDM app, you might need to configure some routing on the ASA, but it's not clear exactly what the problem is. Does it work slowly, sometimes or not at all?



ben.schultz Thu, 01/17/2008 - 06:17

Thank you for your response.

If I switched to routed mode, is there a way to achieve what I mentioned in my original post? From what I have read it seems like transparent mode would be my best choice, unfortunately I need to utilize three ports so this is not an option.

I thought about setting an IP address on the ASA Ethernet Ports 0/0-0/2 each having its own /30 subnet mask but this seems like a waste of addresses.

I resolved the ASDM problem, I had an error in the ACL controlling ip traffic.

andrew.burns Tue, 01/22/2008 - 00:47


Routed mode won't help if the devices are in the same subnet. However, if the devices can all be made to have different subnets then it could work as you'd have a normal firewall scenario inspecting traffic between 3 networks.



alanajjar Tue, 01/22/2008 - 23:55


I have a solution, which may help. In transparent mode,connect two hosts to a switch , then connect the switch to the firewall, and connect the third host to the other interface of the forewall. in your case only transparent mode can be used.

with regards

andrew.burns Wed, 01/23/2008 - 04:53


This isn't a solution because it doesn't satisfy the requirement of inspecting traffic between three hosts. The two hosts connected to the switch will not have their traffic inspected...


ben.schultz Wed, 01/23/2008 - 05:44


Correct, adding a switch is not a possibility.

I'm investigating the possiblility of moving two of the connections to a different subnet, it looks like this is my only option.


andrew.burns Wed, 01/23/2008 - 06:31


What about host-based security? Something like CSA might be an option?




This Discussion