cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3848
Views
0
Helpful
9
Replies

ASA Transparent With Multiple Interfaces & Vlans

avilt
Level 3
Level 3

Can i use ASA-5525X in transparent mode with following situations

1. Four interfaces in the same vlan (two inside, two outside)

2. Two interfaces in one subnet and another two interfaces in another subnet

2 Accepted Solutions

Accepted Solutions

With that easy setup (looks now easier then in your initial request) I would use four ACLs, one per system, and each ACL controls what this device is allowed to reach.

View solution in original post

You could do something like the following.  just replace interface, nameif, and security levels as needed:

conf t

firewall transparent

int bvi 1

  ip add 192.168.10.x 255.255.255.0

int e1

  security-level 100

  nameif inside1

  bridge-group 1

  no shut

int e2

  security-level 80

  nameif inside2

  bridge-group 1

  no shut

int e3

  security-level 60

  nameif inside3

  bridge-group 1

  no shut

int e4

  security-level 40

  nameif inside4

  bridge-group 1

  no shut

access-list inside1_in permit ip host 192.168.10.1 any

access-list inside2_in permit ip host 192.168.10.2 host 192.168.10.1

access-list inside2_in permit tcp host 192.168.10.2 host 192.168.10.3 eq 80

access-list inside2_in deny ip host 192.168.10.2 192.168.10.0 255.255.255.0

access-list inside2_in permit ip any any

access-list inside3_in permit udp host 192.168.10.3 host 192.168.10.2 eq 53

access-list inside3_in deny ip host 192.168.10.3 192.168.10.0 255.255.255.0

access-list inside3_in permit ip any any

access-list inside4_in deny ip host 192.168.10.4 192.168.10.0 255.255.255.0

access-list inside4_in permit ip any any

access-group inside1_in in interface inside1

access-group inside2_in in interface inside2

access-group inside3_in in interface inside3

access-group inside4_in in interface inside4

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

9 Replies 9

When running in transparent mode, all interfaces belong to one IP subnet. But you can use VLANs (to be more exact, subinterfaces that belong to a VLAN) to separate the systems to different firewall-interfaces. That is how I run my home-office ASA. All devices and the ESX-Server are connected to one layer2-switch and belong to the same IP subnet, but all traffic between the systems (also the virtual ones) is filtered by the transparent firewall.

But when running transparent, the ASA doesn't route any more. I've never set up it that way, but as a workaround, you could convert the ASA to multiple context mode (which gives you multiple virtual firewalls) and run one context transparent and another one routed.

1. Four interfaces in the same vlan (two inside, two outside)

Having four interfaces in the same VLAN will not accomplish anything with regard to the transparent firewall.  They would still be in the same broadcast domain so traffic will actually never go through the ASA for inspection / packet filtering.  This is why you need a minimum of two VLANs for transparent firewall setup to work.

2. Two interfaces in one subnet and another two interfaces in another subnet

This is easily done, just create two BVI interfaces and then add each interface to the required bridge-group.  For example, you could do something like the following:

interface BVI1
  ip address 10.10.10.1 255.255.255.0

interface BVI2
  ip address 10.10.11.1 255.255.255.0

int ethernet 1

  security-level 100

  nameif inside1

  bridge-group 1

int ethernet 2

  security-level 0

  nameif outside1

  bridge-group 1

int ethernet 3

  security-level 100

  nameif inside2

  bridge-group 2

int ethernet 4

  security-level 0

  nameif outside2

  bridge-group 2

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Please refer the attached diagram. 

Now I need to introduce a single firewall in transparent mode without context based firewall. Two ACL's. One common ACL for two outside systems and another common  ACL for two Inside systems.

How can I achieve the firewall solution? 

What are system A, B, C and D?  switches, routers, PCs?

you could slip the transparent firewall in between system A and systems B/C or between Systems B/C and System D.  Depending on what systems B and C are you might also be able to place it between them also.

If one of the systems is a switch you could connect the ASA to the switch.

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

Please refer the attached diagram in the previous thread, they are just end systems.

Now I need to introduce a single firewall in transparent mode without context based firewall. Two ACL's. One common ACL for two outside systems and another common  ACL for two Inside systems.

How can I achieve the firewall solution? 

I am not sure if that is possible with two ACLs.  is using two ACLs a requirement?  The issue here is that ACLs are applied on a per interface basis or use the global ACL. 

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

If possible I would like to define 4 acl, each for a interface. Is it possible & what should be my transparent config?

You could do something like the following.  just replace interface, nameif, and security levels as needed:

conf t

firewall transparent

int bvi 1

  ip add 192.168.10.x 255.255.255.0

int e1

  security-level 100

  nameif inside1

  bridge-group 1

  no shut

int e2

  security-level 80

  nameif inside2

  bridge-group 1

  no shut

int e3

  security-level 60

  nameif inside3

  bridge-group 1

  no shut

int e4

  security-level 40

  nameif inside4

  bridge-group 1

  no shut

access-list inside1_in permit ip host 192.168.10.1 any

access-list inside2_in permit ip host 192.168.10.2 host 192.168.10.1

access-list inside2_in permit tcp host 192.168.10.2 host 192.168.10.3 eq 80

access-list inside2_in deny ip host 192.168.10.2 192.168.10.0 255.255.255.0

access-list inside2_in permit ip any any

access-list inside3_in permit udp host 192.168.10.3 host 192.168.10.2 eq 53

access-list inside3_in deny ip host 192.168.10.3 192.168.10.0 255.255.255.0

access-list inside3_in permit ip any any

access-list inside4_in deny ip host 192.168.10.4 192.168.10.0 255.255.255.0

access-list inside4_in permit ip any any

access-group inside1_in in interface inside1

access-group inside2_in in interface inside2

access-group inside3_in in interface inside3

access-group inside4_in in interface inside4

--

Please remember to select a correct answer and rate helpful posts

--
Please remember to select a correct answer and rate helpful posts

With that easy setup (looks now easier then in your initial request) I would use four ACLs, one per system, and each ACL controls what this device is allowed to reach.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: