Transparent mode and failover.

Unanswered Question
Apr 11th, 2008

Does an ASA in both transparent mode and standby state pass any type of traffic?

Paulo Roque

Network Engineer

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Anonymous (not verified) Thu, 04/17/2008 - 13:39

Transparent firewall mode allows only two interfaces to pass through traffic; however, on the ASA adaptive security appliance, you can use the dedicated management interface (either the physical interface or a subinterface) as a third interface for management traffic. The mode is not configurable in this case and must always be management-only

mvandorp Mon, 04/21/2008 - 00:19

In transparent mode, all allowed traffic is passed, but only IP-traffic can be inspected. Normally BPDUs are blocked, but you want them through if using STP.

In transparent failover mode, you definitely want STP, to eliminate problems when both FWs become active (should never happen, but...).

In standby mode, the FW does not pass any traffic.

There is a failover link between active and standby FW, to carry FW status info. If you do stateful failover, the state-info is transferred too (on it's own VLAN). This is management traffic, no user data!

I don't know about ASA, but an FWSM allows up to 8 BVI-groups per context. An inside VLAN is connected to an outside VLAN by the transparent FW (this is called a BVI-group). Each BVI-group is completely isolated from each other. You need a router to get traffic between the BVI groups.

Thr management interface is just for that. It also can carry traffic for AAA (eg. a connection to the radius server).

HTH,

Marcel

Actions

This Discussion