ASA in transparent mode

Unanswered Question
Apr 6th, 2009

How do you physically install an ASA in transparent mode into a network? I know that the inside and outside interfaces have to be on the same network. My question is how does the firewall connect between users and servers when there is a switch that connects everything. Do you just plug the firewall into the same vlan as the users and webservers, or does the firewall have to by physically connected to each webserver to work in transparent mode.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
John Blakley Mon, 04/06/2009 - 06:28

When the firewall is in transparent mode, I believe it can only forward traffic to its own subnet without additional routes. Any other remote subnet would need routes added to the firewall.

You wouldn't need to connect each physical server to the firewall, but the firewall needs to know how to get to the devices. You can connect the firewall into a L3 switch, assign a vlan to it, and then route all of your traffic to the webservers the way that you need to.

Here's a link to better explain it:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008089f467.shtml

HTH,

John

c-clemons Mon, 04/06/2009 - 07:00

I've looked at the diagram, and that is why I'm not sure about how this is done. With the connection to the router, does the firewall have to be physically connected to the router for it to be a transparent firewall between the router and the server? Or is it just that you plug everything into a L2 switch on the same vlan, and somehow the switch knows to forward all traffic between the router and all other devices through the firewall?

roshan.maskey Mon, 04/06/2009 - 07:23

Hi Clemons,

Check the network diagram for ASA in transparent mode for your server zone. This design will only work for traffic destined to server zone. All traffic to through the router will be bypassed.

If you intend to scan traffic going to server zone and internet from Access switch, then place ASA between Access switch and Distribution switch.

c-clemons Mon, 04/06/2009 - 08:18

I am actually placing an ASA with an IPS module between a firewall cluster and a server network to act as an IPS. I need to put the ASA in transparent mode to do this. What I am trying to understand is how does the transparent firewall work in terms of the traffic flowing through it. I only have one layer-2 switch stack which the firewall cluster will plug into and the server vlan connects to. I need for all traffic coming from the firewall cluster to the server vlan to flow through the ASA. Does the ASA have to be physically plugged into each of these firewalls in the cluster and connected to the server vlan on the switch for the traffic to be forced to go through the ASA? Or can the firewall cluster, ASA, and the servers all be plugged into the server vlan on that layer 2 switch stack and it all work somehow by layer 2 forwarding.

Actions

This Discussion