Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
517
Views
0
Helpful
7
Replies

ASA 5510 with AIP-SSM

ben.schultz
Level 1
Level 1

‎01-16-2008 12:48 PM - edited ‎03-10-2019 03:56 AM

Ideally I would like to place an ASA 5510 in line between three devices on the same subnet and have the traffic between them inspected.

For example the network 10.10.10.x

Eth0/0 would have input coming from 10.10.10.1

Eth0/1 would have input coming from 10.10.10.20

Eth 0/2 would have input coming from 10.10.10.30

Leaving the management port with 10.10.10.10

Currently I have the ASA setup as a Transparent Firewall based on the following example:http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008089f467.shtml From this it only looks like two connections on the same subnet are allowed, but I am new to this so I am not quite sure.

With the Transparent Firewall configuration I am also experiencing difficulty accessing the ASDM application.

Any help would be greatly appreciated.

Labels:
0 Helpful
7 Replies 7

andrew.burns
Level 7
Level 7

‎01-17-2008 02:43 AM

Hi,

You're right in your assumption - in transparent mode only two connections are possible.

Regarding the ASDM app, you might need to configure some routing on the ASA, but it's not clear exactly what the problem is. Does it work slowly, sometimes or not at all?

HTH

Andrew.

0 Helpful

ben.schultz
Level 1
Level 1
In response to andrew.burns

‎01-17-2008 06:17 AM

Thank you for your response.

If I switched to routed mode, is there a way to achieve what I mentioned in my original post? From what I have read it seems like transparent mode would be my best choice, unfortunately I need to utilize three ports so this is not an option.

I thought about setting an IP address on the ASA Ethernet Ports 0/0-0/2 each having its own /30 subnet mask but this seems like a waste of addresses.

I resolved the ASDM problem, I had an error in the ACL controlling ip traffic.

0 Helpful

andrew.burns
Level 7
Level 7
In response to ben.schultz

‎01-22-2008 12:47 AM

Hi,

Routed mode won't help if the devices are in the same subnet. However, if the devices can all be made to have different subnets then it could work as you'd have a normal firewall scenario inspecting traffic between 3 networks.

HTH

Andrew.

0 Helpful

alanajjar
Level 1
Level 1

‎01-22-2008 11:55 PM

HI,

I have a solution, which may help. In transparent mode,connect two hosts to a switch , then connect the switch to the firewall, and connect the third host to the other interface of the forewall. in your case only transparent mode can be used.

with regards

0 Helpful

andrew.burns
Level 7
Level 7
In response to alanajjar

‎01-23-2008 04:53 AM

Hi,

This isn't a solution because it doesn't satisfy the requirement of inspecting traffic between three hosts. The two hosts connected to the switch will not have their traffic inspected...

Andrew.

0 Helpful

ben.schultz
Level 1
Level 1
In response to andrew.burns

‎01-23-2008 05:44 AM

Hi,

Correct, adding a switch is not a possibility.

I'm investigating the possiblility of moving two of the connections to a different subnet, it looks like this is my only option.

Thanks.

0 Helpful

andrew.burns
Level 7
Level 7
In response to ben.schultz

‎01-23-2008 06:31 AM

Hi,

What about host-based security? Something like CSA might be an option?

HTH

Andrew.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card