cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
766
Views
0
Helpful
8
Replies

ASA Transparent Mode question

rgiammanco
Level 1
Level 1

Our company recently purchased 2 ASA 5510 's to replace our current Sonicwall.  Well after some research it looks like I will have to run them in transparent mode because of the way our network is configured.  I have the ASA set up in transparent mode but the workstations can not see the router on the other side of the ASA, when I try to ping the router the request times out.  I have a question regarding the config of it, the IP address I specify during the config is not the Router address but rather a IP Address for the ASA itself? From the ASA I can ping the Router but neither of the workstations.

1 Accepted Solution

Accepted Solutions

rgiammanco wrote:

We have them coming into a CISCO 3800 and then from there it goes into a switch.  Would I need seprate vlans for all the sites seeing as they are on different networks or because they come into one location would that be unnecessary?

No you shouldn't need separate vlans. Basically you would simply connect the outside interface of your ASA to the switch and put it in the same subnet as the 3800 interface that connects to the switch. Then on the ASA you would add a default-route pointing to the 3800 LAN ip address. So the ASA simply forwards all traffic for remote sites to the router and then the 3800 simply routes down the correct T1.

Edit - Kusankar makes a good point. I was assuming your internet connection was on the 3800 as well which it probably isn't so rather than point the default-route on the ASA to the 3800 you would as Kusankr suggested and either use a summary route or if they can't be summarised use individual routes for each site.

Jon

View solution in original post

8 Replies 8

Kureli Sankar
Cisco Employee
Cisco Employee

The IP address that you configure on the ASA in transparent mode is for management purposes. Make sure you have configured the interfaces with proper vlan and security levels.

Here is a sample config (TFW): http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/ref_examples.html#wp1065159

-KS

Thanks, I will double check my config to make sure everything looks good.

Here is another question kind of off the topic but we have 20 sites and all their connections come back to our main office via T1 to connect to the Sonicwall for their internet access.  Will we need multiple ASA's or can we still have it setup the way we currently have the SonicWall?

rgiammanco wrote:

Here is another question kind of off the topic but we have 20 sites and all their connections come back to our main office via T1 to connect to the Sonicwall for their internet access.  Will we need multiple ASA's or can we still have it setup the way we currently have the SonicWall?

Rich

The ASA will only take an ethernet connection. So if your 20 sites are connected to a router or router(s) which can then connect to a switch and you can present this connection as ethernet then you do not need multiple ASAs to connect them to the Internet.

Jon

We have them coming into a CISCO 3800 and then from there it goes into a switch.  Would I need seprate vlans for all the sites seeing as they are on different networks or because they come into one location would that be unnecessary?

Say for example all 20 networks cover under 192.168.0.0/16 you do not need multiple vlans.

You can just have one inside interface on the ASA and add a route on the as like this below

route inside 192.168.0.0 255.255.0.0 192.168.1.x

where 192.168.1.x is the 3800's interface facing the ASA's inside interface.

-KS

rgiammanco wrote:

We have them coming into a CISCO 3800 and then from there it goes into a switch.  Would I need seprate vlans for all the sites seeing as they are on different networks or because they come into one location would that be unnecessary?

No you shouldn't need separate vlans. Basically you would simply connect the outside interface of your ASA to the switch and put it in the same subnet as the 3800 interface that connects to the switch. Then on the ASA you would add a default-route pointing to the 3800 LAN ip address. So the ASA simply forwards all traffic for remote sites to the router and then the 3800 simply routes down the correct T1.

Edit - Kusankar makes a good point. I was assuming your internet connection was on the 3800 as well which it probably isn't so rather than point the default-route on the ASA to the 3800 you would as Kusankr suggested and either use a summary route or if they can't be summarised use individual routes for each site.

Jon

rgiammanco
Level 1
Level 1

Thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: