ASA transparent mode

Unanswered Question
Jul 23rd, 2009

We added an ASA 5510 to a subnet 10.10.1.x, gave the ASA ip address of We want to isolate traffic from server from the rest of the subnet.

But once we connect the ASA to the switch it takes all traffic from 10.10.1.xx subnet.

How do we prevent the ASA from taking all traffic for that subnet and just for the server connected to the outside interface?

Can this done in trnsparent mode or must I used routed mode?


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jon Marshall Thu, 07/23/2009 - 10:42


Not quite sure what you mean by "But once we connect the ASA to the switch it takes all traffic from 10.10.1.xx subnet."

In transparent mode the ASA separate devices on the same subnet. So the inside and outside interfaces are in the same subnet. So anything on the inside that wants to talk to anything on the outside interface has to go through the ASA and vice-versa.

If this isn't what you want routed mode wouldn't really help either unless you readdress the server to be on a different subnet.


durhamcs Thu, 07/23/2009 - 10:55

What is happeneing is traffic from 10.10.2.x intended for is being routed through the ASA

I there a way transparent mode to prevent this?

Jon Marshall Thu, 07/23/2009 - 11:05


It depends on where the device is in relation to the 10.10.2.x devices and where the routed interface for 10.10.1.x and 10.10.2.x is eg. (router) -> 10.10.1.x -> ASA -> 10.10.1.y

if a 10.10.2.x device needs to talk to a 10.10.1.x device then it shouldn't go through the ASA. But if a 10.10.2.x device needs to talk to a 10.10.1.y device it has to go through the ASA as there is no other way to get there.

And no you can't prevent this.


durhamcs Thu, 07/23/2009 - 11:12

I agree but when we connect the ASA to the switch all traffic for 10.10.1.x is being routed to it including traffic for


What would cause this?

durhamcs Thu, 07/23/2009 - 11:58

10.10.2.x -switch - 10.10.1.x

- ASA ( -

Jon Marshall Thu, 07/23/2009 - 12:02


switch = L3 switch ?

And you are saying traffic from 10.10.2.x to 10.10.1.x is going via the ASA ?

And which interface is inside and outside on ASA ?


durhamcs Thu, 07/23/2009 - 12:11

yes traffic from 10.10.2.x is going to 10.10.1.x via the ASA (not want I want)

e0/0 outside

e0/1 inside

switch is a L3 switch

Jon Marshall Thu, 07/23/2009 - 12:19


Apologies for the repetition but really just need to clarify

10.10.2.x -switch - 10.10.1.x

- ASA ( -


10.10.2.x -> L3 switch -> 10.10.1.y -> ASA -> 10.10.1.x (including

traffic from 10.10.2.x to 10.10.1.y is going via the ASA ?. How are you verifying this ?

Could you actually fill in the details below ie. fill in the ? and specify which interface is inside and outside

10.10.2.x -> L3 switch (10.10.1.?) -> (10.10.1.? - outside/inside interface) ASA ( 10.10.1.? - outside/inside interface)


durhamcs Thu, 07/23/2009 - 12:52

10.10.2.x -> L3 switch ( -> ( - inside interface) ASA ( - outside interface) - server

I can confirm by looking at the traffic logs on the ASA

Jon Marshall Thu, 07/23/2009 - 13:08

If the rest of the 10.10.1.x subnet is between the L3 switch and the inside interface of the ASA then only traffic for server should go through the ASA.

Traffic from 10.10.2.x to the rest of the 10.10.1.x subnet ie. the subnet between the L3 switch and the inside interface of the ASA should not go via the ASA.

If this is actually happening you may want to recheck your connections.


Kevin Redmon Sun, 07/26/2009 - 18:19

There are two separate issues as I see it:

1.) Securing host from the rest of the subnet.

2.) The ASA taking all traffic from the 10.10.1.xx subnet.

Issue #1:

The best way to isolate the server from the others is to put a Layer-3 device (like the ASA) between the other servers and the server. One way to do this is to put the server on another interface (such as a DMZ) - changing its IP address configuration to Then, with this statement:

static (DMZ,inside)

The server would look like IP address on the inside interface - you could configure access-lists to prohibit any client from accessing this server.

Issue #2:

As for issue #2, please confirm that your static statements are as specific as possible and correct.

When you implement a static statement, the second interface in the static statement is going to be the interface where ARP Reply's will be sent. For instance:

static (inside, outside) netmask

In this statement, the inside interface is where the host is physically. The outside interface will Reply to any ARP Requests for the host.

If you were to use a less specific static statement such as:

static (inside,outside) netmask

the ASA will ARP Reply for all ARP requests for all traffic on the outside interface - effectively pulling all traffic towards outside interface of the ASA.

If the static statement is written incorrectly (inverting the order of the interfaces), that too can cause anomalous behavior.

If you confirm the static statements above then you may consider doing a 'sysopt noproxyarp ' for the problem interface. Doing this will disable ALL ARP Replies (except for the interface IP address) on the relevant interface. In most situations, this is not necessary. You can reference this command here for ASA 8.0(x):


This Discussion