Cisco ASA 5500 - Transparent and Routed Mode

Unanswered Question
Jun 27th, 2012

Hi All,

Appreciate any help you can give here, I have a Cisco ASA that I am trying to configure in a unique way, I want it to perform a variety of tasks;

VPN SSL

VPN Tunnels

Firewall Inside to Outside via versa

But the difficult task, is creating a DMZ with devices that are assigned fully routed IP addresses from our ISP directly, these are H323 and SIP devices that cannot use NAT, and must have a fully routed IP address assigned to them.

Obviously the problem I have with the Firewall in its default routed mode, is that it wont allow me to overlap IP addresses on the outside interface with the DMZ interface.

Could the Firewall be configured for Transparent mode between Outside and DMZ, but Routed mode between Outside and Inside?

Eth0/0: 10.0.0./24 (inside)

Eth0/1: 190.0.0.0/24 (dmz)

Eth0/2: 190.0.0.0/24 (outside)

Or can anyone else think of a way around this? I understand this is possible with 2 Firewalls;

ISP Router ---> [Firewall 1 in Transparent Mode] ---> Effective DMZ ---> [Firewall 2 in Routed Mode] ---> LAN

But could the new Cisco ASA with the latest firmware and model be ale to do this with 1 physical firewall?

Any alternatives suggestions are greatly welcomed

Thanks!

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (3 ratings)
hobbe Wed, 06/27/2012 - 01:15

Hi

AFAIK No you can not make vpn, transparent and routing in the same unit.

I would not want the DMZ and the outside interface to have overlapping ip address ranges.

logging and trying to keep track of it all would be way to confusing for me.

so what I would do is to split the external network into two network units (/25) and move all the units that can be moved to a dmz with rfc1918 addresses.

The units that can not be moved from the external network would have to stay put "for now" in another dmz with the 190 addresses /25

This would need the isp to change their routing table in the edge equipment, the lower (or upper) part of 190.X.X.X/25 would be the dmz and needs to be routed to the firewall ip address.

Then as time passes by the DMZ will be depopulated when equipment is moved out and replaced and in the end you will have the isp to merge the two 190.x.x.x/25 address ranges to one /24 and you will be back to todays setup but with all the servers in a rfc1918 network.

Do not use NAT, use PAT instead when it comes to the ip addresses translated from the internet side. it makes for a much more secure network and you do not need as much ip addresses (in a normal case)

With NAT you are translating the whole ip address but with PAT you translate the port so you can have ip X port 25 go to ip Y and port 25 and then you can have ip X port 80 go to ip Z port 80 or maybe 8080 or what ever port you want.

good luck

HTH

David Anstee Wed, 06/27/2012 - 01:37

I thought as much, so really I have 2 options;

1. Split the subnet from the ISP and assign to each interface - this requires a route change on the ISP router

2. I have a spare PIX Firewall, I could use 2 firewalls as per;

ISP Router ---> [Firewall 1 in Transparent Mode] ---> Effective DMZ ---> [Firewall 2 in Routed Mode] ---> LAN

hobbe Wed, 06/27/2012 - 03:25

Hi

Option 1 would work but I would not go with option 2.

why ?

Well first of all single point of faliure, you are adding more units in a chain and if any unit in the chain breaks you will have an outage. The less units in chain you have the better it is from a operational standpoint.

Also you will have a harder time to manage both firewalls to get traffic through to the correct places and stop the rest.

two firewalls in a row was a thing one used several years ago but was abandoned (at most) due to the heavy workload to maintain the configurations and day to day operations.

Many times one can se a third option. (like in this case)

ie parallell firewalls.

You can have one firewall in this case the transparent one deal with traffic for the units on the outside ie what you call the DMZ and then setup a firewall to handle the DMZ with rfc1918 addresses and other parts such as vpn and Lan.

All you need to do is setup a switch infront of the firewalls and set them parallell

Good luck

HTH

David Anstee Wed, 06/27/2012 - 03:39

I really appreciate your help on this.

I quite like the sound of the 3rd option :-)

So...

ISP Router --> [Switch]

                            |

                            |-----> [Firewall Routed Mode]---> LAN

                            |-----> [Firewall Transparent Mode]---> DMZ

Is that what you are suggested? I like that idea a lot thanks very much!

hobbe Wed, 06/27/2012 - 11:07

Yes you can do it that way.

You can also setup a new nic in the servers that are behind the transparent firewall and then use that nic to create a new network that can be a dmz on the routed firewall.

Then you just set the routing table in your servers according to where your networks are.

that can make things easier when it comes to the servers communicating to the LAN fx.

If you feel that you are helped then feel free to rate.

Good luck

HTH

Actions

Login or Register to take actions

This Discussion

Posted June 27, 2012 at 12:38 AM
Stats:
Replies:5 Avg. Rating:5
Views:1204 Votes:0
Shares:0

Related Content

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446