ASA Transparent mode with Trunk interfaces

Unanswered Question
Jun 16th, 2011

Hope that someone can point me in the right direction.

We have a 5580 that we want to connect to each of our 7K's as an internal firewall.  To minimize hassle, we will setup the ASA in transparent mode.

I have been working on this all day today and have run into a stopping point.  If I put vlan 20 on a subinterface on Te7/0 which will connect to N7K_1 it works great.  When I try to put that same vlan on Te7/1 which connects to N7K_2, I get an error that says the vlan is already assigned to another interface.

Our local Cisco SE told us that this would work. When I called TAC today for help, they said it wasnt supported and wouldnt work.

My problem is that not all of our servers/systems are dual homed to both 7K's so I have to be able to get this to work because of potential asymmetric routing issues that we will be dealing with.

Has anyone been able to get the 5580 to work in this configuration and can you share your config with me ?

Using the redundant interface command isnt an option because I need for both interfaces to be able to route over both 7K's at all times.

Any suggestions will be appreciated.

Ron

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 0 (0 ratings)
mayrojas Thu, 06/16/2011 - 19:07

Hello Ron,

To be honest I have never seen transparent firewall with vlans, but here is what I think. Basically, on the ASA firewall (As far as the documentation go) you can use only 2 interfaces, unless you have multiple context, hence, you can only use two vlans, as far as you are going, no issues there.

Now The scenario that we normally use (and the one we support) is putting the inside on one Vlan and the outside in another one totally different.

This is because if you have two devices that you are isolating (on the same switch, talking that you only have one) , and they are all on the same vlan, they are always going to bypass the firewall, always, because the mac-address table of the firewall is going to be build and so on, but the switch is going to send the packet to the connected host on HIS  mac-address table, instead of passing it to the entry that he has for the FW.

In the scenario that I am describing (Different vlans for the two interfaces), the switch is going to be forced to send the packet to the ASA firewall, because the switch will now have two different mac-address table entries, one that goes directly to the intended host (but on different vlan so the packet is discarded) and the one that goes thru the ASA (valid adjacency since they are on the same vlan), the packet goes thru the firewall and the policies are applied.

Normally, you dont need to configure the Port with subinterfaces, since easily you can just config the port on access and connect the ASA to that port on the inside vlan, and then do the same for the outside.

If you need it to set it up this way because of asymmetric routing, well that may be a design issue. Either way if you need to have it this way, I think what you can do is to do it exactly the way I described (the different vlans) and set tcp-state-bypass, for support with asymmetric routing

Document

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/s1.html#wp1428242

Configurration example

http://www.cisco.com/en/US/products/ps6120/products_configuration_example09186a0080b2d922.shtml

Never tried it before on transparent firewall, only in routed, but applies the same principle and I cant think of something that wont let you do it.

I am sorry that it took you all day working on this, and if you have any inputs, questions, doubts, whatever, please feel free to contact me back, I will be glad to help you out.

Mike.

Ronald Nutter Fri, 06/17/2011 - 08:01

We will have one trunk interface on the 5580 going to the N7K_1 and the other trunk interface on the 5580 going to N7K_2.

Each trunk interface will carry the vlan (which will be on the "outside" interface on the trunk connection) that the company will use to talk to the servers that are on a vlan that will be on the "inside" interface.  The problem I am having is that the vlan I have configured for the trunk interface connection going to the N7K_2 has to have the same vlan on it as the trunk connection going to the N7K_1.  I get an error that is says it cant assign the vlan because if is on another interface.

Since we have servers on one Nexus 7K that arent dual homed to the other N7K, I need to be able to have the ASA talk to both N7K's.  We want to have granular controls on the different vlan's that will be on this type of connection.  We have tried bringing up the 5580 along with another one as two seperate ASA's but ran into the same asymmetric routing issue I have outlined.  It starting to look like going with the 5580's wasnt what we needed to do.  Will have to look at putting them in storage until we can figure out what to do with them.

mayrojas Fri, 06/17/2011 - 09:56

Hi,

May I ask why does it have to be the same vlan id? I know that you have servers on both N7K's and that you maybe dont want to change the IP scheme, but it doesnt matter, it will just be the vlan ID in order to force the packets go thru the ASA firewall, the IP scheme wont change.

Still, you have the asymmetric problem, you can solve it with tcp-state-bypass.

Mike.

Actions

Login or Register to take actions

This Discussion

Posted June 16, 2011 at 1:47 PM
Stats:
Replies:3 Avg. Rating:
Views:1712 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446