ASA Transparent mode security

Answered Question
Apr 21st, 2009

If an ASA is in transparent mode can you still use access-lists? i.e. host A resides of interface 1 and has an IP of 1.1.1.1/24 and another host resides of interface 2 and has the IP 1.1.1.2/24 Can you restrict traffic to be permitted from 1.1.1.1 to 1.1.1.2 only with out allowing access to the rest of the 1.1.1.x network?

I have this problem too.
0 votes
Correct Answer by maratkinson about 7 years 7 months ago

Simple answer, yes, use extended access lists to control traffic crossing the ASA. However, thats assuming your design is the normal 2 interface Transparent mode.

Deatils...

Since you using the Bridge / Transparent mode, your well aware that you are effectively designing a pass through "bump in the wire" L2 device. I'm also guessing that you are staying true to the "Stealth" design and only using the inside and outside interfaces, not additional interfaces like a traditional Routed DMZ design. To that point, your servers are on different sides of the FW? Your sample IP's would seem to state otherwise.

Important points form the below document.

- Each directly connected network must be on the same subnet.

- You must use an extended access list to allow Layer 3 traffic, such as IP traffic, through the security appliance.

You can also optionally use an EtherType access list to allow non-IP traffic through.

Cisco Transparent ASA document:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008089f467.shtml

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
maratkinson Tue, 04/21/2009 - 12:19

Simple answer, yes, use extended access lists to control traffic crossing the ASA. However, thats assuming your design is the normal 2 interface Transparent mode.

Deatils...

Since you using the Bridge / Transparent mode, your well aware that you are effectively designing a pass through "bump in the wire" L2 device. I'm also guessing that you are staying true to the "Stealth" design and only using the inside and outside interfaces, not additional interfaces like a traditional Routed DMZ design. To that point, your servers are on different sides of the FW? Your sample IP's would seem to state otherwise.

Important points form the below document.

- Each directly connected network must be on the same subnet.

- You must use an extended access list to allow Layer 3 traffic, such as IP traffic, through the security appliance.

You can also optionally use an EtherType access list to allow non-IP traffic through.

Cisco Transparent ASA document:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008089f467.shtml

Actions

This Discussion