ASA - Firewall in transparent mode - 8.4 and higher

 

There are a lot of changes in transparent mode in comparison to old version of firmware but lets start from the beginning.

The basic concept in new ASA transparent mode(8.4>=) are:

 

  1. Bridge-group traffic is isolated from other bridge-group.
  2. Traffic is not routed to other bridge-group within ASA.
  3. Traffic must exit ASA before it is routed back by external router to different bridge-group.
  4. Each bridge-group requires IP address for management purposes and for passing traffic through ASA.
  5. Each bridge-group can consist up to 4 interfaces.
  6. Each interface must have security level.
  7. By default all interfaces and subinterfaces uses burned-in mac addresses.
  8. Traffic flow rules are as on normal ASA,e.g. :

 - by default traffic from higher secuirty level to lower security level is allowed.

 - by default traffic from lower security level to higher security level is denied.

 - http and https filtering is outbound only(from higher to lower)

 - traffic on the same security level are allowed in both direction(same inter.....)

 

transparet84-01.png

 

 How to configure ASA in transparent mode:

 

  • First change firewall mode on ASA firewall to transparent and reload firewall.

 

ASA1(config)# firewall transparent

 

  • Configure bridge group

ASA1(config)# interface BVI 100

BVI can be from 1 to 100

ASA1(config-if)# ip address 192.168.145.70 255.255.255.0

ASA1(config-if)# description Bridge-Group 100

ASA1(config-if)# exit

Ip address for management purposes. DO NOT use subnet /32 and other with less than 3 hosts IP because ASA drops ARP packets from first and last ip in subnet. 

 

  • Assign interfaces to Bridge-group

 

ASA1(config)# interface gigabitEthernet 0

ASA1(config-if)# bridge-group 100

ASA1(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.

ASA1(config-if)# no shutdown
ASA1(config-if)# exit

Configure security level if not automatically set.

 

ASA1(config)# interface gigabitEthernet 1

ASA1(config-if)# bridge-group 100

ASA1(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.

ASA1(config-if)# no shutdown
ASA1(config-if)# exit

Configure security level if not automatically set.

 

ASA1(config)# interface gigabitEthernet 2

ASA1(config-if)# bridge-group 100

ASA1(config-if)# nameif dmz
INFO: Security level for "inside" set to 0 by default.

ASA1(config-if)#security-level 50

ASA1(config-if)# no shutdown
ASA1(config-if)# exit

Configure security level if not automatically set.

  •  Verify configuration

show bridge-group and show interface bridge-group 100

transparet84-0.png


transparet84-1.png

show interface ip brief

transparet84-2.png

 show nameif

 transparet84-3.png

 

  •  Verify connectivity between interfaces

   - from R2 to interface bridge-group 100

 transparet84-4.png

  - from R2 to R1(from higher security level to lower security level)

WARNING! Ping only works when ICMP inspection is enabled in service-policy. Better to test via telnet.

transparet84-5.png

 transparet84-6.png

 - from R1 to interface bridge-group 100

transparet84-7.png

 - from R1 to R2 (traffic has to be dropped by ASA)

transparet84-8.png

transparet84-10.png

- ping from R1 to server in DMZ (traffic has to be dropped by ASA)

transparet84-9.png

transparet84-12.png

 - telnet from R1 to R2 (traffic has to be dropped by ASA)

transparet84-13.png

transparet84-11.png

 

- telnet from DMZ to R1 (traffic is allowed)

 transparet84-14.png

 

  - telnet from DMZ to R2 (traffic has to be dropped by ASA)

 transparet84-15.png

 transparet84-16.png

 

 This manual was written based on ASA 5520 and shows how to configure and how ASA works by default in transparent mode in 8.4 >= firmware.

Please tune your configuration based on your requirements.

If you need commercial support please send a request via email.

 

2014-02-21

This site uses cookies. Some of the cookies we use are essential for parts of the site to operate and have already been set. You may delete and block all cookies from this site, but parts of the site will not work.