Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA transparent firewall working with remote network?

Hi Experts,

I need some clarification on remote network traffic forwarding on ASA Transparent firewall. As we know that ASA attempts to discover the destination MAC address by sending an ARP request or a ping. Same subnet ARP works fine, but I need clarification about the remote network where ASA tries to ping the remote network to learn the destination MAC or forwarding interface. cisco also says -The first packet is dropped.  What happen if ping not allowed on remote host for example webserver ? how a user behind the Transparent firewall can access the web server?

  • Firewalling
Everyone's tags (3)
3 REPLIES

ASA transparent firewall working with remote network?

Hello Sr,

Here is the thing:

The Firewall on Transparent mode should be connected to the same subnet that its BVI Ip address is.

Now what happens when a L2 switch receives a packet for a MAC address that does not know?

It will send an unknown Unicast (paquet being forwarded out of all the interfaces in the same VLAN).

Obviously for security purposes the ASA will not do that. Instead it relies on 2 different processes:

1)The ARP check

  • Used when the destination IP address is on the same subnet
  • An ARP packet will be send out of all the interfaces in the BVI to learn the destination MAC address

2)The ICMP check

  • Used when the destination IP address in on a different subnet
  • The ASA will source an IP packet from it's BVI IP address going to the destiantion address with a TTL of 1, Expecting that the gateway leading to that device replies with an ICMP time Exceeded message.

As you can see the ICMP packet is not intended to reach the destination host but the L3 device that lead us to it.

I think I have answer your questions right

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

ASA transparent firewall working with remote network?

Thanks Julio, your answer clears the point. Just want to know, did you find some cisco text stating the above statement. If so please provide the link.

ASA transparent firewall working with remote network?

Hello Anir,

Glad to hear that.

That's basically based on my experience with this cases here in TAC.

Not sure if it's here:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008089f467.shtml

You can do captures to probe it

Also remember to mark the question as answered.

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
227
Views
4
Helpful
3
Replies
This widget could not be displayed.