04-05-2006 10:58 AM - edited 03-09-2019 02:31 PM
I m trying to configure ASA 5540 in transparent firewall mode. The server farm is connected to the inside zone and users are connected to the outside zone on Multiple VLANS routed via Inter-VLAN routing using core switch.
As per Cisco Configuration guidelines for transparent firewall,INSIDE and OUTSIDE ZONE are configured to be in two different VLANS while the gateway ip address of the server farm is configured on the core switch.
The transparent firewall works fine if connected to TWO different switches with ACL permit any any on the outside interface. But if TWO DIFFERENT VLANS ( ex. 111 & 222 ) are configured on the same Catalyst 4500 switch and the inside zone and outside zone ( 222 ) is connected to the respective ASA 5540 interfaces in TRANSPARENT MODE - inside interface to port 3/0/1 in VLAN 111 & Outside Interface to port 3/0/2 in VLAN 222, traffic is not flowing thru.
VLAN 222 USED FOR SERVER FARM CONNECTED TO INSIDE ZONE HAS THE DEFAULT GATEWAY ADDRESS CONFIGURED in the CORE SWITCH under INT VLAN 111 which is connected to OUTSIDE interface of ASA.
Core Switch int gig1/0/1...>vlan 111...>ASA OUTSIDE...>Vlan 222...> server farm in vlan 222
No ARP entries are seen on the inside interface.Ethertype ACL to allow BPDU's on both INSIDE AND OUTSIDE interface of ASA has also been configured.
Can you please provide me guidelines and a step by step procedure to configure ASA 5540 in transparent Firewall mode with INSIDE & OUTSIDE Interface connecting to TWO different VLANS on the same Catalyst SWITCH.
Thanking you in advance,
with best regards
Meenaakshi Sundaram
Network Consultant
04-11-2006 11:37 AM
If you download a text configuration to the security appliance that changes the mode with the firewall transparent command, be sure to put the command at the top of the configuration; the security appliance changes the mode as soon as it reads the command and then continues reading the configuration you downloaded. If the command is later in the configuration, the security appliance clears all the preceding lines in the configuration.
06-14-2006 11:42 PM
Hi Meenaakshi,
I am having a similar problem with ASA5520 on 4506 SUP V.
Have you managed to solve the problem? I am still waiting for Cisco to get back to me on this. Meantime any information is greatly appreciated.
Thanks in advance.
Regards,
Tee
01-21-2010 07:33 AM
Has anyone got answer for this. I am interested to know it.
Thanks!
06-03-2010 11:49 AM
Bump - anyone? Is it possible to terminate both the inside and outside interfaces of a transparent firewall to a single Layer 3 switch? Seems like ARP from the switches Layer 3 interface would prevent this from working.
06-03-2010 02:48 PM
Hi Kirk,
Yes, you can.
You just have to make sure that you configure only 1 SVI on the switch.
Example:
L3 subnet: 10.1.1.0/24
VLAN 100 -- Inside (ASA) Outside -- VLAN 200
Hosts will all be connected to VLAN 100 on the switch.
ASA inside interface will be connected to VLAN 100 on the switch
ASA outside interface will be connected to VLAN 200 on the switch
Switch should only have 1 SVI - interface vlan 200 (10.1.1.254 for example). Switch should never be configured with SVI on vlan 100 (should not have interface vlan 100).
All hosts would be in the 10.1.1.0/24 subnets with default gateway set to 10.1.1.254.
ASA should only have 2 interfaces (inside - security level 100, and outside - security level 0). They can't be on the same security level.
Hope that helps.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide