Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Transparent ASA and Mac-Address's

Experts,

    I’ve recently installed a pair of 5525X’s in transparent mode to protect some internal segments.  In reading about transparent mode I thought I read that the ASA will “proxy” the connection when going from the Layer 3 side (North) to the actual physical South side host.  For an “Outside/North” host (vlan 700) to talk to an “Inside/South) host (vlan 800) the ASA will pass it’s mac-address to the outside host (or gateway) as the destination to send the packet.  Prior to building this infrastructure I thought I would see all ARP entries on the Layer 3 (North) side to have a mac-address of the interface of the ASA for all protected hosts.  I do not see that on the SVI interface but do see the real mac-address of the “South” side protected machine. When looking on a protected machine I do see the default-gateway ARP entry to be the actual mac-address of the SVI on the switch and not the mac-address of the ASA which I thought would be the case as well.   Everything is working as advertised (or so I think) as removing or adding ACL’s does limit or allow traffic so it appears to be working.  I’m just checking that my initial assumption of the mac-address of the ASA being on every ARP entry was/is incorrect. From what I can tell the ASA passes the mac-address's from each side of the bridge-group to the other.

Thanks,

Ken

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
Gold

Transparent ASA and Mac-Address's

Hi Ken

Yes, this is correct. In transparent mode, the ASA is effectively a passive device in this perspective. The devices on either side of the ASA will see the "real" MAC addresses.

Note this behaviour will change if you configure NAT on the ASA.

HTH.

Barry Hesk

Intrinsic Network Solutions

1 REPLY
Gold

Transparent ASA and Mac-Address's

Hi Ken

Yes, this is correct. In transparent mode, the ASA is effectively a passive device in this perspective. The devices on either side of the ASA will see the "real" MAC addresses.

Note this behaviour will change if you configure NAT on the ASA.

HTH.

Barry Hesk

Intrinsic Network Solutions

331
Views
0
Helpful
1
Replies
CreatePlease login to create content