04-21-2009 08:09 AM - edited 03-11-2019 08:21 AM
If an ASA is in transparent mode can you still use access-lists? i.e. host A resides of interface 1 and has an IP of 1.1.1.1/24 and another host resides of interface 2 and has the IP 1.1.1.2/24 Can you restrict traffic to be permitted from 1.1.1.1 to 1.1.1.2 only with out allowing access to the rest of the 1.1.1.x network?
Solved! Go to Solution.
04-21-2009 12:19 PM
Simple answer, yes, use extended access lists to control traffic crossing the ASA. However, thats assuming your design is the normal 2 interface Transparent mode.
Deatils...
Since you using the Bridge / Transparent mode, your well aware that you are effectively designing a pass through "bump in the wire" L2 device. I'm also guessing that you are staying true to the "Stealth" design and only using the inside and outside interfaces, not additional interfaces like a traditional Routed DMZ design. To that point, your servers are on different sides of the FW? Your sample IP's would seem to state otherwise.
Important points form the below document.
- Each directly connected network must be on the same subnet.
- You must use an extended access list to allow Layer 3 traffic, such as IP traffic, through the security appliance.
You can also optionally use an EtherType access list to allow non-IP traffic through.
Cisco Transparent ASA document:
04-21-2009 12:19 PM
Simple answer, yes, use extended access lists to control traffic crossing the ASA. However, thats assuming your design is the normal 2 interface Transparent mode.
Deatils...
Since you using the Bridge / Transparent mode, your well aware that you are effectively designing a pass through "bump in the wire" L2 device. I'm also guessing that you are staying true to the "Stealth" design and only using the inside and outside interfaces, not additional interfaces like a traditional Routed DMZ design. To that point, your servers are on different sides of the FW? Your sample IP's would seem to state otherwise.
Important points form the below document.
- Each directly connected network must be on the same subnet.
- You must use an extended access list to allow Layer 3 traffic, such as IP traffic, through the security appliance.
You can also optionally use an EtherType access list to allow non-IP traffic through.
Cisco Transparent ASA document:
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide