Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
243
Views
0
Helpful
2
Replies

ASA Routed/Transparent Mode - Advice

Go to solution
petenixon
Level 3
Level 3

‎07-23-2014 05:38 AM - edited ‎03-11-2019 09:31 PM

Hi guys,

I'm looking for some advice regarding the deployment of an ASA. I have two networks separated by a routed link (layer 3 switch to layer 3 switch). I would like to deploy an ASA between the two networks for increased security. I'm leaning toward transparent mode so I don't have to have an additional IP subnetwork configured, and because deployment seems a little 'easier'.

I would welcome any feedback.

Thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎07-23-2014 06:07 AM

Hi,

 

So there is 2 networks which are separated by a routed link between the L3 switches? Have you considered simply moving the LAN and Link networks IP address to a Routed Mode ASAs interfaces when inserting it between these networks or is there something on the L3 switch that prevents this?

 

Naturally you can use the ASA in Transparent Mode also. I have not deployed Transparent ASAs as usually the Routed Mode has been required. Even firewalls installed to internal networks (like between factory automation and office networks) have always been in Routed mode.

 

Looking at the ASA Configuration Guide the limitations set by the Transparent Mode are not something that would prevent us from using them instead of the current setups. I would imagine that the most important limitation in many setups has usually been the fact that the VPN is not supported in Transparent mode though I guess in your case that would not be a problem.

 

The ASA Configuration Guide section on Transparent mode (guidelines/limitations) can be found here:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/general/asa-general-cli/intro-fw.html#pgfId-1501525

 

- Jouni

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Jouni Forss
VIP Alumni
VIP Alumni

‎07-23-2014 06:07 AM

Hi,

 

So there is 2 networks which are separated by a routed link between the L3 switches? Have you considered simply moving the LAN and Link networks IP address to a Routed Mode ASAs interfaces when inserting it between these networks or is there something on the L3 switch that prevents this?

 

Naturally you can use the ASA in Transparent Mode also. I have not deployed Transparent ASAs as usually the Routed Mode has been required. Even firewalls installed to internal networks (like between factory automation and office networks) have always been in Routed mode.

 

Looking at the ASA Configuration Guide the limitations set by the Transparent Mode are not something that would prevent us from using them instead of the current setups. I would imagine that the most important limitation in many setups has usually been the fact that the VPN is not supported in Transparent mode though I guess in your case that would not be a problem.

 

The ASA Configuration Guide section on Transparent mode (guidelines/limitations) can be found here:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa92/configuration/general/asa-general-cli/intro-fw.html#pgfId-1501525

 

- Jouni

0 Helpful

Go to solution
petenixon
Level 3
Level 3
In response to Jouni Forss

‎07-23-2014 06:15 AM

Thanks for the reply Jouni.

There are no logical constraints as to how the firewall is to be added, it was just something that occurred to me (that both methods could be used). I can't really see any disadvantages to either method (just yet!) but it seems advantageous to use transparent mode to conserve address space as the ASA will still function as expected.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card