Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
317
Views
0
Helpful
1
Replies

ASA Transparent mode security

Go to solution
networker99
Level 1
Level 1

‎04-21-2009 08:09 AM - edited ‎03-11-2019 08:21 AM

If an ASA is in transparent mode can you still use access-lists? i.e. host A resides of interface 1 and has an IP of 1.1.1.1/24 and another host resides of interface 2 and has the IP 1.1.1.2/24 Can you restrict traffic to be permitted from 1.1.1.1 to 1.1.1.2 only with out allowing access to the rest of the 1.1.1.x network?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
maratkinson
Level 1
Level 1

‎04-21-2009 12:19 PM

Simple answer, yes, use extended access lists to control traffic crossing the ASA. However, thats assuming your design is the normal 2 interface Transparent mode.

Deatils...

Since you using the Bridge / Transparent mode, your well aware that you are effectively designing a pass through "bump in the wire" L2 device. I'm also guessing that you are staying true to the "Stealth" design and only using the inside and outside interfaces, not additional interfaces like a traditional Routed DMZ design. To that point, your servers are on different sides of the FW? Your sample IP's would seem to state otherwise.

Important points form the below document.

- Each directly connected network must be on the same subnet.

- You must use an extended access list to allow Layer 3 traffic, such as IP traffic, through the security appliance.

You can also optionally use an EtherType access list to allow non-IP traffic through.

Cisco Transparent ASA document:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008089f467.shtml

View solution in original post

0 Helpful
1 Reply 1

Go to solution
maratkinson
Level 1
Level 1

‎04-21-2009 12:19 PM

Simple answer, yes, use extended access lists to control traffic crossing the ASA. However, thats assuming your design is the normal 2 interface Transparent mode.

Deatils...

Since you using the Bridge / Transparent mode, your well aware that you are effectively designing a pass through "bump in the wire" L2 device. I'm also guessing that you are staying true to the "Stealth" design and only using the inside and outside interfaces, not additional interfaces like a traditional Routed DMZ design. To that point, your servers are on different sides of the FW? Your sample IP's would seem to state otherwise.

Important points form the below document.

- Each directly connected network must be on the same subnet.

- You must use an extended access list to allow Layer 3 traffic, such as IP traffic, through the security appliance.

You can also optionally use an EtherType access list to allow non-IP traffic through.

Cisco Transparent ASA document:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008089f467.shtml

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card