01-20-2017 12:26 AM - edited 03-12-2019 01:48 AM
Can i use ASA-5525X in transparent mode with following situations
1. Four interfaces in the same vlan (two inside, two outside)
2. Two interfaces in one subnet and another two interfaces in another subnet
Solved! Go to Solution.
01-21-2017 09:01 AM
With that easy setup (looks now easier then in your initial request) I would use four ACLs, one per system, and each ACL controls what this device is allowed to reach.
01-21-2017 12:33 PM
You could do something like the following. just replace interface, nameif, and security levels as needed:
conf t
firewall transparent
int bvi 1
ip add 192.168.10.x 255.255.255.0
int e1
security-level 100
nameif inside1
bridge-group 1
no shut
int e2
security-level 80
nameif inside2
bridge-group 1
no shut
int e3
security-level 60
nameif inside3
bridge-group 1
no shut
int e4
security-level 40
nameif inside4
bridge-group 1
no shut
access-list inside1_in permit ip host 192.168.10.1 any
access-list inside2_in permit ip host 192.168.10.2 host 192.168.10.1
access-list inside2_in permit tcp host 192.168.10.2 host 192.168.10.3 eq 80
access-list inside2_in deny ip host 192.168.10.2 192.168.10.0 255.255.255.0
access-list inside2_in permit ip any any
access-list inside3_in permit udp host 192.168.10.3 host 192.168.10.2 eq 53
access-list inside3_in deny ip host 192.168.10.3 192.168.10.0 255.255.255.0
access-list inside3_in permit ip any any
access-list inside4_in deny ip host 192.168.10.4 192.168.10.0 255.255.255.0
access-list inside4_in permit ip any any
access-group inside1_in in interface inside1
access-group inside2_in in interface inside2
access-group inside3_in in interface inside3
access-group inside4_in in interface inside4
--
Please remember to select a correct answer and rate helpful posts
01-20-2017 02:25 AM
When running in transparent mode, all interfaces belong to one IP subnet. But you can use VLANs (to be more exact, subinterfaces that belong to a VLAN) to separate the systems to different firewall-interfaces. That is how I run my home-office ASA. All devices and the ESX-Server are connected to one layer2-switch and belong to the same IP subnet, but all traffic between the systems (also the virtual ones) is filtered by the transparent firewall.
But when running transparent, the ASA doesn't route any more. I've never set up it that way, but as a workaround, you could convert the ASA to multiple context mode (which gives you multiple virtual firewalls) and run one context transparent and another one routed.
01-21-2017 07:11 AM
1. Four interfaces in the same vlan (two inside, two outside)
Having four interfaces in the same VLAN will not accomplish anything with regard to the transparent firewall. They would still be in the same broadcast domain so traffic will actually never go through the ASA for inspection / packet filtering. This is why you need a minimum of two VLANs for transparent firewall setup to work.
2. Two interfaces in one subnet and another two interfaces in another subnet
This is easily done, just create two BVI interfaces and then add each interface to the required bridge-group. For example, you could do something like the following:
interface BVI1
ip address 10.10.10.1 255.255.255.0
interface BVI2
ip address 10.10.11.1 255.255.255.0
int ethernet 1
security-level 100
nameif inside1
bridge-group 1
int ethernet 2
security-level 0
nameif outside1
bridge-group 1
int ethernet 3
security-level 100
nameif inside2
bridge-group 2
int ethernet 4
security-level 0
nameif outside2
bridge-group 2
--
Please remember to select a correct answer and rate helpful posts
01-21-2017 07:47 AM
01-21-2017 07:47 AM
What are system A, B, C and D? switches, routers, PCs?
you could slip the transparent firewall in between system A and systems B/C or between Systems B/C and System D. Depending on what systems B and C are you might also be able to place it between them also.
If one of the systems is a switch you could connect the ASA to the switch.
--
Please remember to select a correct answer and rate helpful posts
01-21-2017 08:26 AM
Please refer the attached diagram in the previous thread, they are just end systems.
Now I need to introduce a single firewall in transparent mode without context based firewall. Two ACL's. One common ACL for two outside systems and another common ACL for two Inside systems.
How can I achieve the firewall solution?
01-21-2017 08:56 AM
I am not sure if that is possible with two ACLs. is using two ACLs a requirement? The issue here is that ACLs are applied on a per interface basis or use the global ACL.
--
Please remember to select a correct answer and rate helpful posts
01-21-2017 11:24 AM
If possible I would like to define 4 acl, each for a interface. Is it possible & what should be my transparent config?
01-21-2017 12:33 PM
You could do something like the following. just replace interface, nameif, and security levels as needed:
conf t
firewall transparent
int bvi 1
ip add 192.168.10.x 255.255.255.0
int e1
security-level 100
nameif inside1
bridge-group 1
no shut
int e2
security-level 80
nameif inside2
bridge-group 1
no shut
int e3
security-level 60
nameif inside3
bridge-group 1
no shut
int e4
security-level 40
nameif inside4
bridge-group 1
no shut
access-list inside1_in permit ip host 192.168.10.1 any
access-list inside2_in permit ip host 192.168.10.2 host 192.168.10.1
access-list inside2_in permit tcp host 192.168.10.2 host 192.168.10.3 eq 80
access-list inside2_in deny ip host 192.168.10.2 192.168.10.0 255.255.255.0
access-list inside2_in permit ip any any
access-list inside3_in permit udp host 192.168.10.3 host 192.168.10.2 eq 53
access-list inside3_in deny ip host 192.168.10.3 192.168.10.0 255.255.255.0
access-list inside3_in permit ip any any
access-list inside4_in deny ip host 192.168.10.4 192.168.10.0 255.255.255.0
access-list inside4_in permit ip any any
access-group inside1_in in interface inside1
access-group inside2_in in interface inside2
access-group inside3_in in interface inside3
access-group inside4_in in interface inside4
--
Please remember to select a correct answer and rate helpful posts
01-21-2017 09:01 AM
With that easy setup (looks now easier then in your initial request) I would use four ACLs, one per system, and each ACL controls what this device is allowed to reach.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: