04-06-2009 05:10 AM - edited 03-11-2019 08:15 AM
How do you physically install an ASA in transparent mode into a network? I know that the inside and outside interfaces have to be on the same network. My question is how does the firewall connect between users and servers when there is a switch that connects everything. Do you just plug the firewall into the same vlan as the users and webservers, or does the firewall have to by physically connected to each webserver to work in transparent mode.
04-06-2009 06:28 AM
When the firewall is in transparent mode, I believe it can only forward traffic to its own subnet without additional routes. Any other remote subnet would need routes added to the firewall.
You wouldn't need to connect each physical server to the firewall, but the firewall needs to know how to get to the devices. You can connect the firewall into a L3 switch, assign a vlan to it, and then route all of your traffic to the webservers the way that you need to.
Here's a link to better explain it:
HTH,
John
04-06-2009 07:00 AM
I've looked at the diagram, and that is why I'm not sure about how this is done. With the connection to the router, does the firewall have to be physically connected to the router for it to be a transparent firewall between the router and the server? Or is it just that you plug everything into a L2 switch on the same vlan, and somehow the switch knows to forward all traffic between the router and all other devices through the firewall?
04-06-2009 07:23 AM
Hi Clemons,
Check the network diagram for ASA in transparent mode for your server zone. This design will only work for traffic destined to server zone. All traffic to through the router will be bypassed.
If you intend to scan traffic going to server zone and internet from Access switch, then place ASA between Access switch and Distribution switch.
04-06-2009 08:18 AM
I am actually placing an ASA with an IPS module between a firewall cluster and a server network to act as an IPS. I need to put the ASA in transparent mode to do this. What I am trying to understand is how does the transparent firewall work in terms of the traffic flowing through it. I only have one layer-2 switch stack which the firewall cluster will plug into and the server vlan connects to. I need for all traffic coming from the firewall cluster to the server vlan to flow through the ASA. Does the ASA have to be physically plugged into each of these firewalls in the cluster and connected to the server vlan on the switch for the traffic to be forced to go through the ASA? Or can the firewall cluster, ASA, and the servers all be plugged into the server vlan on that layer 2 switch stack and it all work somehow by layer 2 forwarding.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide