ASA 5510 in Transparent Mode-Guidelines.

Unanswered Question
Oct 12th, 2008

Dear all,

I need to convert routed mode to transparent mode on my ASA-5510 with inbuilt IPS.

let me know which of the following features configured on my firewall will have issue if converted to transparent mode:

1. static routes.

2. object-groups.

3. ACLS.

4. URL-filter (Websense).

5. IPS . ( i doubt this )

6. have 3 data and 1 Mgmt interfaces.

7. syslog.

8. SNMP

I'm sure point 5 and 6 will have issues, need to confirm.

need to confirm this by EOD,

( 5 hours more).

thanks in advance.

Shukla.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
Marwan ALshawi Sun, 10/12/2008 - 03:14

Does not participate in routing protocols but can still pass routing protocol traffic through it. You can define static routes for the traffic originated by the ASA.

in transparante mode the devices dehind and infront of the firewall will be in the same ip subnet as the firewall will be a L2 device!!

ACLs can be configured normally

syslog as well

obgect groups as well

Address translation is inherent when a firewall is configured for routed mode. Beginning with

ASA 8.0, address translation can be used in transparent mode as well

Does not participate in multicast. However, it allows passing the multicast traffic through it using the ACLs.

Does not support QoS.

Inspects Layer 2 and higher packet headers

as long as u can use

policy-map global_policy

then u can integrate with IPS if u mean AIP-ssm modul

transparent also known as a Layer 2 firewall or a stealth firewall, because its

interfaces have no IP addresses and cannot be detected or manipulated. Only a single

management address can be configured on the firewall

In transparent mode, a firewall can support only two interfaces-the inside and the outside. If

your firewall supports more than two interfaces from a physical and licensing standpoint, you

can assign the inside and outside to two interfaces arbitrarily. As soon as those interfaces are

configured, the firewall does not permit a third interface to be configured.

Some platforms also support a dedicated management interface, which can be used for all

firewall management traffic. However, the management interface cannot be involved in

accepting or inspecting user traffic

Configure a management address:

Firewall(config)# ip address ip_address subnet_mask

The firewall can support only a single IP address for management purposes. The address is

not bound to an interface, as in routed mode. Rather, it is assigned to the firewall itself,

accessible from either of the bridged interfaces.

The management address is used for all types of firewall management traffic, such as Telnet,

SSH, HTTP, SNMP, Syslog, TFTP, FTP, and so on.

A transparent firewall can also support multiple security contexts. In that case, interface IP

addresses must be configured from the respective context. The system execution space uses

the admin context interfaces and IP addresses for its management traffic

You do not have to configure a static route for the subnet directly connected to the firewall

interfaces. However, you should define one static route as a default route toward the outside

public network

i wish i covered all ur questions

good luck

if helpful Rate

Actions

Login or Register to take actions

This Discussion

Posted October 12, 2008 at 1:29 AM
Stats:
Replies:1 Avg. Rating:
Views:513 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard