ASA 5520 Transparent Mode between routers

Answered Question

I am planning the deployment of two 5520's which we want to use in transparent mode in order to get a better idea on the type of traffic we have before moving to routed mode. I'm trying to figure out how can I get these firewalls in between the multilayer switches I currently have in place since the firewall only recognizes layer 2 traffic while on transparent mode and switches are being used as layer 3. I am attaching a basic diagram to show you my current setup.


My area is switching and routing and I am now getting into firewalls so please be easy on me : ) Thanks in advance for your assistance!



Attachment: 
Correct Answer by Jon Marshall about 8 years 6 months ago

Yes that's exactly what you can do. As i said though if the existing links between the switches are P2P using a /30 subnet you may need to change the subnet mask because you will need an additional IP from the subnet for the firewall. Note you only need 1 and not 1 for each interface.


Other than that you should be fine.


Jon

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
Jon Marshall Wed, 12/03/2008 - 07:13
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Jose


Transparent mode still allows L3 traffic to go through it. So in your diagram if you wanted to insert the firewalls in between the 4506 and the 4510 switches then you can keep your L3 routed link, although you will need another IP address out of that subnet for the firewall. You would obvioulsy need to fibres rather than 1 and run 1 fibre from the 4506 to the 5520 and then the other fibre from the 5520 to the 4510R.


See this link for more details -


http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/fwmode.html#wp1201980


Jon

Jon,


Thank you for your quick reply!


If I understand correctly you're saying that I can keep the interfaces in all of my 4500 (the 4506s and 4510s) the way they are configured. Then I'd just need to unplug the fibre going from the 4510s to the 4506, and plug in the ASA in between? Then once the physical connection is established it's just a matter of creating extended access lists and other basic configs on the firewalls to allow the IP traffic through?


Something like this:

4510R----5520-----4506


That's what I thought but I wanted to make sure since I'm still very new to the Security side. Once again, thank you!

Correct Answer
Jon Marshall Wed, 12/03/2008 - 07:28
User Badges:
  • Super Blue, 32500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Yes that's exactly what you can do. As i said though if the existing links between the switches are P2P using a /30 subnet you may need to change the subnet mask because you will need an additional IP from the subnet for the firewall. Note you only need 1 and not 1 for each interface.


Other than that you should be fine.


Jon

francisco_1 Wed, 12/03/2008 - 07:19
User Badges:
  • Gold, 750 points or more

to better understand the type of traffic going through your ASA, why dont you install ASA AIP SSM module in Promiscuous mode. the IPS should give you a clear visibility the types of traffic traversing your ASA interfaces.


also see this link for different scenarios fror ASA in transparent mode http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008089f467.shtml


Francisco

Unfortunately we do not have the AIP SSM module. Because our requirements to use fibre we had to purchase the 4GE SSM instead.


I have been baselining my traffic patterns for a while now using NetFlow so I have a good idea on what's going on. We just want to use it in transparent mode not only to give us a better understanding of the traffic but also as an "in-between" step to get the firewalls logging before we move to routed mode which is our final plan.

Actions

This Discussion