Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

5525-X Setup

I have to setup a new 5525-X firewall with IPS (softwaree module) in transparent mode, appreciate if someone clarifies my doubts.

a) On this model what are the minimum required commands at the interface level after setting the firewall mode in transparent?

b) Do I need to define bridge groups in this model?

c) I used ASDM to setup the basic settings but I am confused with the following output. Why do I need two IP addresses for management?

Management IP Address: 192.168.1.6

Named interfaces:

    Inside (GigabitEthernet0/1), IP Address not Defined

    Management (Management0/0), 192.168.1.1

    Outside (GigabitEthernet0/0), IP Address not Defineded

d) what should be the ideal security level for management interface? Since this interface does not allow pass thru traffic, how does asa applies policies on this interface?

4 ACCEPTED SOLUTIONS

Accepted Solutions

5525-X Setup

a) On this model what are the minimum required commands at the interface level after setting the firewall mode in transparent?

You use BVIs interfaces to configure the IP address. You can have up to 2 phyisical interfaces joining a BVI.

b) Do I need to define bridge groups in this model?

Yes, which makes everything easier and more scalable

c) I used ASDM to setup the basic settings but I am confused with the following output. Why do I need two IP addresses for management?

Remember that there is a dedicated OOB interface for management purposes only. Then when you configure a BVI you can still use that one as a management interface.

d) what should be the ideal security level for management interface? Since this interface does not allow pass thru traffic, how does asa applies policies on this interface?

Well, I mean the interface is already restricted. The ASA will not allow traffic going through this interface so there is no such a setting that will change this behavior. No need to worry on any kind of security measure for it.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com

5525-X Setup

Yes, they mean that.

Exactly those are the commands

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com

5525-X Setup

ASA 5505 has a built-in Switch.. So yes, you keep seen that but that does not mean it's on Transparent mode.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com

5525-X Setup

Hello

on an ASA 5500x No,

On any other yes, just by removing the managment-only command

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
12 REPLIES

5525-X Setup

a) On this model what are the minimum required commands at the interface level after setting the firewall mode in transparent?

You use BVIs interfaces to configure the IP address. You can have up to 2 phyisical interfaces joining a BVI.

b) Do I need to define bridge groups in this model?

Yes, which makes everything easier and more scalable

c) I used ASDM to setup the basic settings but I am confused with the following output. Why do I need two IP addresses for management?

Remember that there is a dedicated OOB interface for management purposes only. Then when you configure a BVI you can still use that one as a management interface.

d) what should be the ideal security level for management interface? Since this interface does not allow pass thru traffic, how does asa applies policies on this interface?

Well, I mean the interface is already restricted. The ASA will not allow traffic going through this interface so there is no such a setting that will change this behavior. No need to worry on any kind of security measure for it.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

5525-X Setup

Bridge-group makes more scalable. Does it mean that I can have multiple bridge groups and multiple acl/polocies per bridge group?

Are my following commands correct?

Interface GigabitEthernet0/0

nameif Outside

bridge-group 1

security-level 100

Interface GigabitEthernet0/1

nameif Inside 

bridge-group 1     

security-level 100

Interface bvi1

ip address  192.168.1.1 255.255.255.0

5525-X Setup

Yes, they mean that.

Exactly those are the commands

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

5525-X Setup

So a firewall with 8 interfaces I can have 4 virtual firewalls in transparent mode.

5525-X Setup

Hello,

Yes, that's why there were introduced into ASA code

Before we were restricted to a l3 domain on transparent mode (unless running multiple context)

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

5525-X Setup

In almost all the config examples on googlr search, they take 5505 model where I see vlan commands. Please elaborate why? Are they L2 ports on 5505?

5525-X Setup

ASA 5505 has a built-in Switch.. So yes, you keep seen that but that does not mean it's on Transparent mode.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

5525-X Setup

On the last note can ASA use mgmt interface (out of band) for traffic originating from itself?

5525-X Setup

Hello

on an ASA 5500x No,

On any other yes, just by removing the managment-only command

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

5525-X Setup

On a 5525-X model I wish to use ASA with IPS in transparent mode. In this model the management interface is shared between asa and IPS. Can I have asa/ips implementation without Bvi interfaces and use mgmt0/0 for both asa and ips?

5525-X Setup

Hello Avilt,

Remember that you can have more than one BVI interface on the ASA, That's why they were implemented on the ASA.

For the other questions:

Here you go

http://www.cisco.com/en/US/products/sw/secursw/ps2113/products_tech_note09186a0080bd5d03.shtml

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

Hi All, How can configure

Hi All,

 

How can configure bridge-group, i've not bridge group command availaible in my ASA 5525-x ?

 

i had upgrade my system but not bridge-group commands ?  

 

i'd checked with mode multiple command ! same problem

 

So in facts i nedd IPS module to configure this feature ?

324
Views
0
Helpful
12
Replies