Re: ASA transparent mode

durhamcs · ‎07-23-2009

We added an ASA 5510 to a subnet 10.10.1.x, gave the ASA ip address of 10.10.1.10 We want to isolate traffic from server 10.10.1.5 from the rest of the subnet.

But once we connect the ASA to the switch it takes all traffic from 10.10.1.xx subnet.

How do we prevent the ASA from taking all traffic for that subnet and just for the server connected to the outside interface?

Can this done in trnsparent mode or must I used routed mode?

Thanks

Jon Marshall · ‎07-23-2009

Craig

Not quite sure what you mean by "But once we connect the ASA to the switch it takes all traffic from 10.10.1.xx subnet."

In transparent mode the ASA separate devices on the same subnet. So the inside and outside interfaces are in the same subnet. So anything on the inside that wants to talk to anything on the outside interface has to go through the ASA and vice-versa.

If this isn't what you want routed mode wouldn't really help either unless you readdress the server to be on a different subnet.

Jon

durhamcs · ‎07-23-2009

What is happeneing is traffic from 10.10.2.x intended for 10.10.1.1 is being routed through the ASA 10.10.1.5.

I there a way transparent mode to prevent this?

Jon Marshall · ‎07-23-2009

Craig

It depends on where the 10.10.1.1 device is in relation to the 10.10.2.x devices and where the routed interface for 10.10.1.x and 10.10.2.x is eg.

10.10.2.1 (router) -> 10.10.1.x -> ASA -> 10.10.1.y

if a 10.10.2.x device needs to talk to a 10.10.1.x device then it shouldn't go through the ASA. But if a 10.10.2.x device needs to talk to a 10.10.1.y device it has to go through the ASA as there is no other way to get there.

And no you can't prevent this.

Jon

durhamcs · ‎07-23-2009

I agree but when we connect the ASA 10.10.1.5 to the switch all traffic for 10.10.1.x is being routed to it including traffic for

10.10.1.y

What would cause this?

Jon Marshall · ‎07-23-2009

Craig

Could you draw out a quick topology to make things clearer.

Jon

durhamcs · ‎07-23-2009

10.10.2.x -switch - 10.10.1.x

- ASA (10.10.1.5) - 10.10.1.10

Jon Marshall · ‎07-23-2009

Craig

switch = L3 switch ?

And you are saying traffic from 10.10.2.x to 10.10.1.x is going via the ASA ?

And which interface is inside and outside on ASA ?

Jon

durhamcs · ‎07-23-2009

yes traffic from 10.10.2.x is going to 10.10.1.x via the ASA (not want I want)

e0/0 outside

e0/1 inside

switch is a L3 switch

Jon Marshall · ‎07-23-2009

Craig

Apologies for the repetition but really just need to clarify

10.10.2.x -switch - 10.10.1.x

- ASA (10.10.1.5) - 10.10.1.10

So

10.10.2.x -> L3 switch -> 10.10.1.y -> ASA -> 10.10.1.x (including 10.10.1.5)

traffic from 10.10.2.x to 10.10.1.y is going via the ASA ?. How are you verifying this ?

Could you actually fill in the details below ie. fill in the ? and specify which interface is inside and outside

10.10.2.x -> L3 switch (10.10.1.?) -> (10.10.1.? - outside/inside interface) ASA ( 10.10.1.? - outside/inside interface)

Jon

durhamcs · ‎07-23-2009

10.10.2.x -> L3 switch (10.10.1.1) -> (10.10.1.5 - inside interface) ASA ( 10.10.1.5 - outside interface) - server 10.10.1.10

I can confirm by looking at the traffic logs on the ASA

Jon Marshall · ‎07-23-2009

If the rest of the 10.10.1.x subnet is between the L3 switch and the inside interface of the ASA then only traffic for server 10.10.1.10 should go through the ASA.

Traffic from 10.10.2.x to the rest of the 10.10.1.x subnet ie. the subnet between the L3 switch and the inside interface of the ASA should not go via the ASA.

If this is actually happening you may want to recheck your connections.

Jon

durhamcs · ‎07-23-2009

Here is the show-tech info and the logs

Kevin Redmon · ‎07-26-2009

There are two separate issues as I see it:

1.) Securing host 10.10.1.5 from the rest of the subnet.

2.) The ASA taking all traffic from the 10.10.1.xx subnet.

Issue #1:

The best way to isolate the server from the others is to put a Layer-3 device (like the ASA) between the other servers and the 10.10.1.5 server. One way to do this is to put the 10.10.1.5 server on another interface (such as a DMZ) - changing its IP address configuration to 192.168.1.5. Then, with this statement:

static (DMZ,inside) 10.10.1.5 192.168.1.5

The server would look like IP address 10.10.1.5 on the inside interface - you could configure access-lists to prohibit any client from accessing this server.

Issue #2:

As for issue #2, please confirm that your static statements are as specific as possible and correct.

When you implement a static statement, the second interface in the static statement is going to be the interface where ARP Reply's will be sent. For instance:

static (inside, outside) 10.10.1.5 10.10.1.5 netmask 255.255.255.255

In this statement, the inside interface is where the 10.10.1.5 host is physically. The outside interface will Reply to any ARP Requests for the 10.10.1.5 host.

If you were to use a less specific static statement such as:

static (inside,outside) 10.10.1.0 10.10.1.0 netmask 255.255.255.0

the ASA will ARP Reply for all ARP requests for all 10.10.1.0/24 traffic on the outside interface - effectively pulling all 10.10.1.0/24 traffic towards outside interface of the ASA.

If the static statement is written incorrectly (inverting the order of the interfaces), that too can cause anomalous behavior.

If you confirm the static statements above then you may consider doing a 'sysopt noproxyarp ' for the problem interface. Doing this will disable ALL ARP Replies (except for the interface IP address) on the relevant interface. In most situations, this is not necessary. You can reference this command here for ASA 8.0(x):

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/s8.html#wp1412827