Transparent Firewall Configuration

meensun · ‎04-05-2006

I m trying to configure ASA 5540 in transparent firewall mode. The server farm is connected to the inside zone and users are connected to the outside zone on Multiple VLANS routed via Inter-VLAN routing using core switch.

As per Cisco Configuration guidelines for transparent firewall,INSIDE and OUTSIDE ZONE are configured to be in two different VLANS while the gateway ip address of the server farm is configured on the core switch.

The transparent firewall works fine if connected to TWO different switches with ACL permit any any on the outside interface. But if TWO DIFFERENT VLANS ( ex. 111 & 222 ) are configured on the same Catalyst 4500 switch and the inside zone and outside zone ( 222 ) is connected to the respective ASA 5540 interfaces in TRANSPARENT MODE - inside interface to port 3/0/1 in VLAN 111 & Outside Interface to port 3/0/2 in VLAN 222, traffic is not flowing thru.

VLAN 222 USED FOR SERVER FARM CONNECTED TO INSIDE ZONE HAS THE DEFAULT GATEWAY ADDRESS CONFIGURED in the CORE SWITCH under INT VLAN 111 which is connected to OUTSIDE interface of ASA.

Core Switch int gig1/0/1...>vlan 111...>ASA OUTSIDE...>Vlan 222...> server farm in vlan 222

No ARP entries are seen on the inside interface.Ethertype ACL to allow BPDU's on both INSIDE AND OUTSIDE interface of ASA has also been configured.

Can you please provide me guidelines and a step by step procedure to configure ASA 5540 in transparent Firewall mode with INSIDE & OUTSIDE Interface connecting to TWO different VLANS on the same Catalyst SWITCH.

Thanking you in advance,

with best regards

Meenaakshi Sundaram

Network Consultant

wong34539 · ‎04-11-2006

If you download a text configuration to the security appliance that changes the mode with the firewall transparent command, be sure to put the command at the top of the configuration; the security appliance changes the mode as soon as it reads the command and then continues reading the configuration you downloaded. If the command is later in the configuration, the security appliance clears all the preceding lines in the configuration.

http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a0080450bda.html#wp1040279

tltee · ‎06-14-2006

Hi Meenaakshi,

I am having a similar problem with ASA5520 on 4506 SUP V.

Have you managed to solve the problem? I am still waiting for Cisco to get back to me on this. Meantime any information is greatly appreciated.

Thanks in advance.

Regards,

Tee

d.silcox · ‎01-21-2010

Has anyone got answer for this. I am interested to know it.

Thanks!

kirk.brookover · ‎06-03-2010

Bump - anyone? Is it possible to terminate both the inside and outside interfaces of a transparent firewall to a single Layer 3 switch? Seems like ARP from the switches Layer 3 interface would prevent this from working.

Jennifer Halim · ‎06-03-2010

Hi Kirk,

Yes, you can.

You just have to make sure that you configure only 1 SVI on the switch.

Example:

L3 subnet: 10.1.1.0/24

VLAN 100 -- Inside (ASA) Outside -- VLAN 200

Hosts will all be connected to VLAN 100 on the switch.

ASA inside interface will be connected to VLAN 100 on the switch

ASA outside interface will be connected to VLAN 200 on the switch

Switch should only have 1 SVI - interface vlan 200 (10.1.1.254 for example). Switch should never be configured with SVI on vlan 100 (should not have interface vlan 100).

All hosts would be in the 10.1.1.0/24 subnets with default gateway set to 10.1.1.254.

ASA should only have 2 interfaces (inside - security level 100, and outside - security level 0). They can't be on the same security level.

Hope that helps.