I have a unique issue when trying to setup our new 5512-x firewall in single transparent mode. I'm new to ASA world and would appreciate if someone can help me out.
I would like to give a bit of background here.
I work in a university and we have different IT pockets along with central IT. I'm an IT person in one of the pockets and we have our own server closet with vm hosts and some servers. All our hosts and other network resources are connected to a 2960 switch on our end which is etherchanneled (2 uplinks) to another 2960 switch on central IT end (which I can't control). The central IT switch after all the hoops connects to the edge router for internet access. Here comes the crazy part: In university all IP addresses assigned to each and every resource (servers and clients) are STATIC PUBLIC IPs. We don't use any DHCP or private IP addressing. Within the university all departments and faculties could access each and every resource given they have permission to access that resource. (file server, databases etc). The idea is to block free access and just allow the users that should have access to our resources.
Now the question. Sorry for the length background.
Our server closet is on x.x.198.x subnet. That is where my side of 2960 switch and central IT switch is connected. I want to (if possible) put our 5512-x switch between the two switches and enable the etherchannel on the ASA so that it can let the traffic through with 2GB uplink. Currently, I have setup the ASA in single transparent mode with management IP x.x.198.x subnet. I created a bridge group and tried to give it a x.x.198.x IP but it spit an error about "can't overlap the IPs on same subnet". Since we don't use any private addressing and there is no outside interface (traffic from our area feeds to central IT switches), I'm not sure how to setup a global IP address for inside and outside interface. We have users in 4 different subnets that I want to provide access to our resources located in x.x.198.x. while blocking the rest as well as setting ACL's for our users as well.
Please let me know if you have any questions. I really hope to find some answers.
For each subnet you want to play with you would need a dedicated Bridge Group. That specific Bridge Group will be composed of two layer 2 interfaces having a global management IP address on the ASA Firewall.
Does it makes sense?
Regarding the error,
Can you show us the entire configuration you are entering and after what the error appears.
So the ASA has 6 physical interfaces and I need to manage 5 different subnets( all public IPs), how would i go about assigning two layer 2 interfaces per subnet/bridge group. WIll I be creating subinterfaces per physical interface? Also, do I need management interface per subnet as well or not. How can I get the etherchannel to work in this scenario?
I haven't made many changes but here is the running config of ASA:
Do I have to create a bridge group for each network/subnet that I need to manage? If I have to create a bridge group for each subnet (in total 5 subnets), how can I define an inside and outside interface for each subnet? Do I have to create logical interfaces for each physical interface per subnet? Do I need to create a logical management interfaces per bridge group/subnet?
Also, how can I connect the ASA between two switch that are etherchanneled? Do I have to create an etherchannel on the inside interface of ASA for internal switch (x.x.198.x) and an etherchannel on outside interface for our Central IT switch (x.x.198.x)?
Also, Since I'm not able to assign another x.x.198.x IP address on global configuration because I'm using x.x.198.151 for management port, do i need to remove the IP from management port and manage the ASA through the data ports?
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...