Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1565
Views
0
Helpful
12
Replies

5525-X Setup

Go to solution
avilt
Level 3
Level 3

‎12-17-2013 08:48 AM - edited ‎03-11-2019 08:19 PM

I have to setup a new 5525-X firewall with IPS (softwaree module) in transparent mode, appreciate if someone clarifies my doubts.

a) On this model what are the minimum required commands at the interface level after setting the firewall mode in transparent?

b) Do I need to define bridge groups in this model?

c) I used ASDM to setup the basic settings but I am confused with the following output. Why do I need two IP addresses for management?

Management IP Address: 192.168.1.6

Named interfaces:

    Inside (GigabitEthernet0/1), IP Address not Defined

    Management (Management0/0), 192.168.1.1

    Outside (GigabitEthernet0/0), IP Address not Defineded

d) what should be the ideal security level for management interface? Since this interface does not allow pass thru traffic, how does asa applies policies on this interface?

Labels:
0 Helpful
4 Accepted Solutions

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎12-17-2013 09:24 AM

a) On this model what are the minimum required commands at the interface level after setting the firewall mode in transparent?

You use BVIs interfaces to configure the IP address. You can have up to 2 phyisical interfaces joining a BVI.

b) Do I need to define bridge groups in this model?

Yes, which makes everything easier and more scalable

c) I used ASDM to setup the basic settings but I am confused with the following output. Why do I need two IP addresses for management?

Remember that there is a dedicated OOB interface for management purposes only. Then when you configure a BVI you can still use that one as a management interface.

d) what should be the ideal security level for management interface? Since this interface does not allow pass thru traffic, how does asa applies policies on this interface?

Well, I mean the interface is already restricted. The ASA will not allow traffic going through this interface so there is no such a setting that will change this behavior. No need to worry on any kind of security measure for it.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to avilt

‎12-17-2013 10:34 AM

Yes, they mean that.

Exactly those are the commands

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to avilt

‎12-17-2013 10:58 AM

ASA 5505 has a built-in Switch.. So yes, you keep seen that but that does not mean it's on Transparent mode.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to avilt

‎12-17-2013 11:05 AM

Hello

on an ASA 5500x No,

On any other yes, just by removing the managment-only command

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
12 Replies 12

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎12-17-2013 09:24 AM

a) On this model what are the minimum required commands at the interface level after setting the firewall mode in transparent?

You use BVIs interfaces to configure the IP address. You can have up to 2 phyisical interfaces joining a BVI.

b) Do I need to define bridge groups in this model?

Yes, which makes everything easier and more scalable

c) I used ASDM to setup the basic settings but I am confused with the following output. Why do I need two IP addresses for management?

Remember that there is a dedicated OOB interface for management purposes only. Then when you configure a BVI you can still use that one as a management interface.

d) what should be the ideal security level for management interface? Since this interface does not allow pass thru traffic, how does asa applies policies on this interface?

Well, I mean the interface is already restricted. The ASA will not allow traffic going through this interface so there is no such a setting that will change this behavior. No need to worry on any kind of security measure for it.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
avilt
Level 3
Level 3
In response to Julio Carvajal

‎12-17-2013 10:33 AM

Bridge-group makes more scalable. Does it mean that I can have multiple bridge groups and multiple acl/polocies per bridge group?

Are my following commands correct?

Interface GigabitEthernet0/0

nameif Outside

bridge-group 1

security-level 100

Interface GigabitEthernet0/1

nameif Inside 

bridge-group 1     

security-level 100

Interface bvi1

ip address  192.168.1.1 255.255.255.0

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to avilt

‎12-17-2013 10:34 AM

Yes, they mean that.

Exactly those are the commands

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
avilt
Level 3
Level 3
In response to Julio Carvajal

‎12-17-2013 10:49 AM

So a firewall with 8 interfaces I can have 4 virtual firewalls in transparent mode.

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to avilt

‎12-17-2013 10:50 AM

Hello,

Yes, that's why there were introduced into ASA code

Before we were restricted to a l3 domain on transparent mode (unless running multiple context)

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
avilt
Level 3
Level 3
In response to Julio Carvajal

‎12-17-2013 10:56 AM

In almost all the config examples on googlr search, they take 5505 model where I see vlan commands. Please elaborate why? Are they L2 ports on 5505?

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to avilt

‎12-17-2013 10:58 AM

ASA 5505 has a built-in Switch.. So yes, you keep seen that but that does not mean it's on Transparent mode.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
avilt
Level 3
Level 3
In response to Julio Carvajal

‎12-17-2013 11:03 AM

On the last note can ASA use mgmt interface (out of band) for traffic originating from itself?

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to avilt

‎12-17-2013 11:05 AM

Hello

on an ASA 5500x No,

On any other yes, just by removing the managment-only command

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
avilt
Level 3
Level 3
In response to Julio Carvajal

‎01-04-2014 09:26 AM

On a 5525-X model I wish to use ASA with IPS in transparent mode. In this model the management interface is shared between asa and IPS. Can I have asa/ips implementation without Bvi interfaces and use mgmt0/0 for both asa and ips?

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to avilt

‎01-04-2014 12:29 PM

Hello Avilt,

Remember that you can have more than one BVI interface on the ASA, That's why they were implemented on the ASA.

For the other questions:

Here you go

http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_tech_note09186a0080bd5d03.shtml

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Fabien GRAGLIA
Level 1
Level 1

‎07-17-2014 07:46 AM

Hi All,

 

How can configure bridge-group, i've not bridge group command availaible in my ASA 5525-x ?

 

i had upgrade my system but not bridge-group commands ?  

 

i'd checked with mode multiple command ! same problem

 

So in facts i nedd IPS module to configure this feature ?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card