cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
915
Views
0
Helpful
2
Replies

Cisco ASA 5512 Transparent mode

treimers1
Level 1
Level 1

                   Hi all - hope this is the right place to ask this question-

I'm having trouble understanding how to configure an ASA 5512X in what should be a really easy way -

I simply want the ASA to be a transparent Layer 2 "bump" in a routed link between two networks, and then I'll use the Management interface to actually see the firewall ASDM,Syslog, configure, etc.

I have the interfaces set up thusly:

interface GigabitEthernet0/0

nameif UnTrustedNetwork

security-level 0

interface GigabitEthernet0/1

nameif TrustedNetwork

security-level 100

interface Management0/0

nameif ManagementAccess

security-level 100

ip address 192.168.X.Y 255.255.255.0

management-only

I cannot figure out how to install a default route so that interface Management0/0 with it's IP of 192.168.X.Y can be reached from

other networks, like 10.6.X.Y, etc.

I thought the point of a Management interface was that you could set things up in such a way that the Management interface

was the only way you could access the firewall, and you did not have to have IP addresses on the Gig interfaces,

(at least not in transparent mode, for NAT you obviously would have to)

I tried to add a static route entry to 10.6.X.Y , but

when I typed "route.." my only available destination interfaces were either TrustedNetwork or UnTrustedNetwork ??

How do I configure the Management interface for non-local subnets to be reachable on the firewall in transparent mode?

1 Accepted Solution

Accepted Solutions

transparent firewall is configured differently from routed mode.

here's a basic config required:

firewall transparent               (erases the current config; does not require a reboot)

!

interface BVI1

ip address 192.168.10.10 255.255.255.0

!

interface GigabitEthernet0

nameif outside

bridge-group 1

security-level 0

!

interface GigabitEthernet1

nameif inside

bridge-group 1

security-level 100

!

route outside 0.0.0.0 0.0.0.0 192.168.10.254

route inside 10.0.0.0 255.0.0.0 192.168.10.100

I think that you need a BVI interface with an IP address before the ASA starts forwarding traffic

The old syntax (pre 8.3 or 8.2 not sure) forces only 2 interfaces and no BVI was configured... the IP was assigned in global config.

Hope that helps,

Patrick

View solution in original post

2 Replies 2

transparent firewall is configured differently from routed mode.

here's a basic config required:

firewall transparent               (erases the current config; does not require a reboot)

!

interface BVI1

ip address 192.168.10.10 255.255.255.0

!

interface GigabitEthernet0

nameif outside

bridge-group 1

security-level 0

!

interface GigabitEthernet1

nameif inside

bridge-group 1

security-level 100

!

route outside 0.0.0.0 0.0.0.0 192.168.10.254

route inside 10.0.0.0 255.0.0.0 192.168.10.100

I think that you need a BVI interface with an IP address before the ASA starts forwarding traffic

The old syntax (pre 8.3 or 8.2 not sure) forces only 2 interfaces and no BVI was configured... the IP was assigned in global config.

Hope that helps,

Patrick

Thanks Patrick!

I did that -

I will test it.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: