cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1227
Views
3
Helpful
6
Replies

ASA 5520 Transparent Mode between routers

jose.cruz
Level 1
Level 1

I am planning the deployment of two 5520's which we want to use in transparent mode in order to get a better idea on the type of traffic we have before moving to routed mode. I'm trying to figure out how can I get these firewalls in between the multilayer switches I currently have in place since the firewall only recognizes layer 2 traffic while on transparent mode and switches are being used as layer 3. I am attaching a basic diagram to show you my current setup.

My area is switching and routing and I am now getting into firewalls so please be easy on me : ) Thanks in advance for your assistance!

1 Accepted Solution

Accepted Solutions

Yes that's exactly what you can do. As i said though if the existing links between the switches are P2P using a /30 subnet you may need to change the subnet mask because you will need an additional IP from the subnet for the firewall. Note you only need 1 and not 1 for each interface.

Other than that you should be fine.

Jon

View solution in original post

6 Replies 6

Jon Marshall
Hall of Fame
Hall of Fame

Jose

Transparent mode still allows L3 traffic to go through it. So in your diagram if you wanted to insert the firewalls in between the 4506 and the 4510 switches then you can keep your L3 routed link, although you will need another IP address out of that subnet for the firewall. You would obvioulsy need to fibres rather than 1 and run 1 fibre from the 4506 to the 5520 and then the other fibre from the 5520 to the 4510R.

See this link for more details -

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/fwmode.html#wp1201980

Jon

Jon,

Thank you for your quick reply!

If I understand correctly you're saying that I can keep the interfaces in all of my 4500 (the 4506s and 4510s) the way they are configured. Then I'd just need to unplug the fibre going from the 4510s to the 4506, and plug in the ASA in between? Then once the physical connection is established it's just a matter of creating extended access lists and other basic configs on the firewalls to allow the IP traffic through?

Something like this:

4510R----5520-----4506

That's what I thought but I wanted to make sure since I'm still very new to the Security side. Once again, thank you!

Yes that's exactly what you can do. As i said though if the existing links between the switches are P2P using a /30 subnet you may need to change the subnet mask because you will need an additional IP from the subnet for the firewall. Note you only need 1 and not 1 for each interface.

Other than that you should be fine.

Jon

Awesome! What a relief. I have the IPs on the same subnet for the firewalls so I should be ok then. I was just having a hard time understanding how the firewall would be able to sit in between those routed interfaces because I thought it only did layer 2. I understand now. Thank you!

francisco_1
Level 7
Level 7

to better understand the type of traffic going through your ASA, why dont you install ASA AIP SSM module in Promiscuous mode. the IPS should give you a clear visibility the types of traffic traversing your ASA interfaces.

also see this link for different scenarios fror ASA in transparent mode http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008089f467.shtml

Francisco

Unfortunately we do not have the AIP SSM module. Because our requirements to use fibre we had to purchase the 4GE SSM instead.

I have been baselining my traffic patterns for a while now using NetFlow so I have a good idea on what's going on. We just want to use it in transparent mode not only to give us a better understanding of the traffic but also as an "in-between" step to get the firewalls logging before we move to routed mode which is our final plan.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: