12-03-2008 07:04 AM - edited 03-11-2019 07:20 AM
I am planning the deployment of two 5520's which we want to use in transparent mode in order to get a better idea on the type of traffic we have before moving to routed mode. I'm trying to figure out how can I get these firewalls in between the multilayer switches I currently have in place since the firewall only recognizes layer 2 traffic while on transparent mode and switches are being used as layer 3. I am attaching a basic diagram to show you my current setup.
My area is switching and routing and I am now getting into firewalls so please be easy on me : ) Thanks in advance for your assistance!
Solved! Go to Solution.
12-03-2008 07:28 AM
Yes that's exactly what you can do. As i said though if the existing links between the switches are P2P using a /30 subnet you may need to change the subnet mask because you will need an additional IP from the subnet for the firewall. Note you only need 1 and not 1 for each interface.
Other than that you should be fine.
Jon
12-03-2008 07:13 AM
Jose
Transparent mode still allows L3 traffic to go through it. So in your diagram if you wanted to insert the firewalls in between the 4506 and the 4510 switches then you can keep your L3 routed link, although you will need another IP address out of that subnet for the firewall. You would obvioulsy need to fibres rather than 1 and run 1 fibre from the 4506 to the 5520 and then the other fibre from the 5520 to the 4510R.
See this link for more details -
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/fwmode.html#wp1201980
Jon
12-03-2008 07:23 AM
Jon,
Thank you for your quick reply!
If I understand correctly you're saying that I can keep the interfaces in all of my 4500 (the 4506s and 4510s) the way they are configured. Then I'd just need to unplug the fibre going from the 4510s to the 4506, and plug in the ASA in between? Then once the physical connection is established it's just a matter of creating extended access lists and other basic configs on the firewalls to allow the IP traffic through?
Something like this:
4510R----5520-----4506
That's what I thought but I wanted to make sure since I'm still very new to the Security side. Once again, thank you!
12-03-2008 07:28 AM
Yes that's exactly what you can do. As i said though if the existing links between the switches are P2P using a /30 subnet you may need to change the subnet mask because you will need an additional IP from the subnet for the firewall. Note you only need 1 and not 1 for each interface.
Other than that you should be fine.
Jon
12-03-2008 07:32 AM
Awesome! What a relief. I have the IPs on the same subnet for the firewalls so I should be ok then. I was just having a hard time understanding how the firewall would be able to sit in between those routed interfaces because I thought it only did layer 2. I understand now. Thank you!
12-03-2008 07:19 AM
to better understand the type of traffic going through your ASA, why dont you install ASA AIP SSM module in Promiscuous mode. the IPS should give you a clear visibility the types of traffic traversing your ASA interfaces.
also see this link for different scenarios fror ASA in transparent mode http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008089f467.shtml
Francisco
12-03-2008 07:30 AM
Unfortunately we do not have the AIP SSM module. Because our requirements to use fibre we had to purchase the 4GE SSM instead.
I have been baselining my traffic patterns for a while now using NetFlow so I have a good idea on what's going on. We just want to use it in transparent mode not only to give us a better understanding of the traffic but also as an "in-between" step to get the firewalls logging before we move to routed mode which is our final plan.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide