Why ASA in transparent mode require same subnet ip to that of the connected network
ASA transparent mode, why it is necessary to keep the management ip on the same subnet to the connected network?
What happens if I keep managing ip in a different subnet as the network connected?
If I only did traffic to move through to the asa and why?
thanxs.
Hello Vijay,
As you say you can use another, that is right, but the thing is that the IP address of management is not only used to draw management.
Who was you are missing the point.
That the IP address assigned to the ASA as a whole also will be used for ARP requests when the ASA does not know where the destination hosts lies and is not on the same subnet as the ASA.
It will serve as a source for packages destined to a syslog server, server AAA, Netflow server, SNMP server, and any package that ASA will have to create so in that spirit the routing of the network will have to be modified to work with that.
If you come to realize that the routing of the network works with a different management on the transparent address IP address then you can do it. I can assure you that I have seen this scenario before working with no problems at all BUD.
Just to remember to Note all useful posts like this
Looking for a Networking Assistance?
Contact me directly to [email protected] / * /
I will fix your problem as soon as POSSIBLE.
See you soon,.
Julio Segura Carvajal
http://laguiadelnetworking.com
Tags: Cisco Security
Similar Questions
-
Cisco ASA 55XX Transparent mode through a VLAN
Hello team Cisco Forum!
In a scenario where the Cisco ASA is in Transparent mode, it is possible to route the traffic of L2 other VLAN different that the VLAN native IP for the firewall management lies?
Switches on the outside and the inside of the interfaces of the SAA are in trunk mode, and I'm moving ttraffic VLAN L2 from inside to outside and vice versa by using filters on switches (switchport trunk allowed vlan).
Thank you in advanced for your support and comments!
Yes it is possible, but you will be limited to 8 VLAN, or more precisely, 8 interfaces BVI so it's not a scalable solution. The problem is that you will need to have different VLANS to the same subnet at both ends of the SAA.
To clarify this point, lets say, you use the interface Gig0/1 and Gig0/2. Gig0/1, you would set up subinterfaces with VLAN 2, 3 and 4. Now, if you try to configure the same VLAN on Gig0/2, you will get an error saying something like this VLAN is already configured on another interface. I don't remember the exact error.
So to get this working, you need to configure Gig0/2 with subinterfaces for VLAN... lets say... 5, 6 and 7. you would then associate VLAN 2 and 5 with BVI 1, VLAN 3 and 6 with 2 Virgin Islands British and VLAN 4 and 7 with 3 British Virgin Islands. Each interface BVI would have its own IP address for the subnet on which is to be filled in all of the ASA.
--
Please do not forget to select a correct answer and rate useful posts
-
ASA in transparent mode with LAN base active failover / standby?
Is it possible to have a pair of the SAA in transparent mode with LAN-based failover active / standby? I configured the portion of failover and then configured the transparent mode and it erased my failover configuration. Is this supported configuration, and if so are there at - it an example?
Thanks in advance
Yes. It is possible to have a pair of ASA in transparent mode with LAN-based failover active/Standy. You must perform the configuration of failover after conversion of the appliance in transparent mode.
I saw an example on the cisco site, but I'll give you an example of one of the projects I run. Infact its very easy to configure failover in transparent mode. Less work.
I have listed the configs on both the firewall for your reference
Main firewall
============
interface GigabitEthernet0/0
nameif outside
security-level 0
No tap
!
interface GigabitEthernet0/1
nameif inside
security-level 100
No tap
!
interface GigabitEthernet0/2
Shutdown
No nameif
no level of security
!
interface GigabitEthernet0/3
Failover LAN Interface Description
!
192.168.9.2 IP address 255.255.255.0 watch 192.168.9.7
failover
primary failover lan unit
local failover FAILINT GigabitEthernet0/3 network interface
failover abcdef keys
failover interface ip FAILINT 172.16.9.1 255.255.255.0 watch 172.16.9.7
The secondary firewall
=================
failover
secondary failover lan unit
local failover FAILINT GigabitEthernet0/3 network interface
failover abcdef keys
failover interface ip FAILINT 172.16.9.1 255.255.255.0 watch 172.16.9.7
int GigabitEthernet0/3
No tap
Hope the above helps.
-
ASA 5505 transparent mode dosnt pass traffic
Hi all
need help
ASA 5505 do not pass traffic as a cordon of brewing, how do you get traffic?
ciscoasa # sh ver
Cisco Adaptive Security Appliance Version 8.2 software (5)
Version 6.4 Device Manager (5)
Updated Saturday, May 20, 11 16:00 by manufacturers
System image file is "disk0: / asa825 - k8.bin.
The configuration file to the startup was "startup-config '.
ciscoasa until 55 minutes 31 seconds
Material: ASA5505, 512 MB RAM, 500 MHz Geode Processor
Internal ATA Compact Flash, 128 MB
BIOS Flash Firmware Hub @ 0xffe00000, 1024 KB
Hardware encryption device: Cisco ASA-5505 Accelerator Board (revision 0 x 0)
Start firmware: CN1000-MC-BOOT - 2.00
SSL/IKE firmware: CNLite-MC-Smls-PLUS - 2.03
Microcode IPSec:-CNlite-MC-IPSECm-HAND - 2.05
0: Int: internal-Data0/0: the address is e4d3.f193.9486, irq 11
1: Ext: Ethernet0/0: the address is e4d3.f193.947e, irq 255
2: Ext: Ethernet0/1: the address is e4d3.f193.947f, irq 255
3: Ext: Ethernet0/2: the address is e4d3.f193.9480, irq 255
4: Ext: Ethernet0/3: the address is e4d3.f193.9481, irq 255
5: Ext: Ethernet0/4: the address is e4d3.f193.9482, irq 255
6: Ext: Ethernet0/5: the address is e4d3.f193.9483, irq 255
7: Ext: Ethernet0/6: the address is e4d3.f193.9484, irq 255
8: Ext: Ethernet0/7: the address is e4d3.f193.9485, irq 255
9: Int: internal-Data0/1: the address is 0000.0003.0002, irq 255
10: Int: not used: irq 255
11: Int: not used: irq 255
The devices allowed for this platform:
The maximum physical Interfaces: 8
VLAN: 3, restricted DMZ
Internal guests: 10
Failover: disabled
VPN - A: enabled
VPN-3DES-AES: enabled
SSL VPN peers: 2
The VPN peers total: 10
Double ISP: disabled
Junction ports VLAN: 0
Sharing license: disabled
AnyConnect for Mobile: disabled
AnyConnect Cisco VPN phone: disabled
AnyConnect Essentials: disabled
Assessment of Advanced endpoint: disabled
Proxy sessions for the UC phone: 2
Total number of Sessions of Proxy UC: 2
Botnet traffic filter: disabled
This platform includes a basic license.
Registry configuration is 0x1
Modified configuration of enable_15 to 20:34:47.689 UTC Wednesday 5 December 2012
ciscoasa #.
ciscoasa #.
ciscoasa # sh run
: Saved
:
ASA Version 8.2 (5)
!
transparent firewall
ciscoasa hostname
activate 8eeGnt0NEFObbH6U encrypted password
2KFQnbNIdI.2KYOU encrypted passwd
names of
!
I haventerface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
!
interface Ethernet0/2
Shutdown
!
interface Ethernet0/3
Shutdown
!
interface Ethernet0/4
Shutdown
!
interface Ethernet0/5
Shutdown
!
interface Ethernet0/6
Shutdown
!
interface Ethernet0/7
Shutdown
!
interface Vlan1
nameif inside
security-level 100
!
interface Vlan2
nameif outside
security-level 0
!
passive FTP mode
outs_in of access allowed any ip an extended list
outs_in list extended access permit icmp any one
pager lines 24
Within 1500 MTU
Outside 1500 MTU
no ip address
ICMP unreachable rate-limit 1 burst-size 1
don't allow no asdm history
ARP timeout 14400
outs_in access to the interface inside group
Access-group outs_in in interface outside
Timeout xlate 03:00
Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00
Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00
Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
Floating conn timeout 0:00:00
dynamic-access-policy-registration DfltAccessPolicy
No snmp server location
No snmp Server contact
Server enable SNMP traps snmp authentication linkup, linkdown cold start
life crypto ipsec security association seconds 28800
Crypto ipsec kilobytes of life - safety 4608000 association
Telnet timeout 5
SSH timeout 5
Console timeout 0
a basic threat threat detection
Statistics-list of access threat detection
no statistical threat detection tcp-interception
!
class-map inspection_default
match default-inspection-traffic
!
!
type of policy-card inspect dns preset_dns_map
parameters
maximum message length automatic of customer
message-length maximum 512
Policy-map global_policy
class inspection_default
inspect the preset_dns_map dns
inspect the ftp
inspect h323 h225
inspect the h323 ras
inspect the rsh
inspect the rtsp
inspect esmtp
inspect sqlnet
inspect the skinny
inspect sunrpc
inspect xdmcp
inspect the sip
inspect the netbios
inspect the tftp
Review the ip options
!
global service-policy global_policy
context of prompt hostname
no remote anonymous reporting call
Cryptochecksum:234e9b9c6c9c941a89e37011325b6d5e
: end
ciscoasa #.
ciscoasa #.
ciscoasa #.
ciscoasa # sh - access list
access cached list the ACL log stream: total 0, 0 (deny-flow-max 4096) denied
alert interval 300
outs_in list of access; 2 elements; hash name: 0xd6c65ba5
permit for access list 1 outs_in line ip scope any a (hitcnt = 0) 0x7d210842
allowed to Access-list outs_in line 2 extended icmp any a (hitcnt = 0) 0x5532fcc5
ciscoasa #.
Hello
Exactly... Good to know it works now.
Do you know why he needs the IP address (such as a transparent firewall)?
The ASA will act as a transparent layer 2 on the right device to the network, but what happens when the ASA does not have a particular destination mac address... What would be the source ip address of the package? Ip address of the ASA. So that's the main reason why we need that.
We use it also for traffic management and for AAA services (if authentication is used the ASA will send the AAA authentication request to the server) with the IP address of this source.
Please check the question as answered, so future users can pull of this
Julio Carvajal
Costa Rica
-
ASA between two buildings W / different subnets. How to extend the network?
I have two buildings with two different networks. Users to build one want to be on the network to build two. Standard range of course will not work if I should put two ASA both buildings and the [IPSEC] VPN between the buildings, extension of the network? Will this work? If so, where are the commands in the Guide of Config ASA?
Thank you... If you can get this for me very fast.
Matt
Matt, a litle more information would help every building completely separate in terms of connectivity physical any fiber between them, are are the two buildings of the same company? everyone has his own Internet access provider?
If there is no connectivity between them that the internet and if each building has its own ISP is therefore assumes that there is already a firewall, if that's the case, you can implement vpn L2L and connect the two networks via Ipsec via internet.
Here's a typical scenario
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a0080950890.shtml
Rgds
Jorge
PLS note any useful message
-
Want the link to open the mode required EAS IN WEb and details of the Java API
Want the link to open the EAS IN WEb mode as well as the details of the Java APIs necessary to get to the top and running.
Please provide the response if known.
Thank you.Hello
To connect to EAS on the web, it is http://
: 10080/easconsole/console.html
You should not have any API details make you just as you have a JRE installed, preferably a version 1.5See you soon
John
http://John-Goodwin.blogspot.com/ -
transparent mode with AIP-SSM-20
I currently have an ASA5510 routed with AIP-SSM-20 mode.
It is necessary to use a connection in optical fiber between the ASA and ASA on the campus, so the AIP - SSM will need to be removed and replaced by the SSM - 4GE. This section should present no problems.
However, this will remove the IPS device, and I always want to use IPS.
So what I think is to get another ASA5510, install the AIP - SSM, configure ASA for transparent and put it between the inside of the ASA routed and my local network. The ASA transparent would be strictly works in the form of an IPS appliance.
The installation program should look like this:
Internal LAN <> ASA transparent with IPS <> routed ASA <> WAN
The AIP - SSM can always perform with the ASA in transparent mode IPS?
Is it possible to configure the ASA and AIP - SSM such as traffic to and from a particular server completely ignores the AIP - SSM?
I have a couple of file servers which generate heavy traffic and can overload the AIP - SSM.
Kind regards.
AFAIR, it is no installation AIP in a transparent firewall problem.
"The SAA in transparent mode can execute an agreement in principle. In the event that the AIP fails,
the IPS will fail-open and the ASA will continue to pass traffic.
However, if an interface or cable fails, then traffic will stop. You
would need a failover pair to account for this failure event, which
means another ASA and matching AIP."
And no there is no problem to exclude certain hosts/ports/subnets inspection by IPS via MPF.
http://www.Cisco.com/en/us/docs/security/ASA/asa82/configuration/guide/IPS.html#wp1050744
What I consider however is however if the ASA 5510 as second level firewall for 5520 s will be enough.
http://www.Cisco.com/en/us/products/ps6120/prod_models_comparison.html
HTH,
Marcin
-
Hello
Is it possible to run IPSEC and SSL VPN (without customer or anycoonet) while ASA in Transparent mode remotely? All NAT/PAT is the router before the ASA.
If so, any example config would be appreciated.
Reg,
Sushil
No, is VPN IPSEC or SSL are not supported when the ASA is in transparent mode.
Here is the URL for your reference:
http://www.Cisco.com/en/us/docs/security/ASA/asa82/configuration/guide/fwmode.html#wp1222826
-
Eql different groups on the same subnet
Hello
Quick question...
We have a PS6000 four in a group of storage in an iscsi network 192.168.0.0/24. We have now bought two PS6100XV and think about maybe create another group of storage for the new boxes eql. The reason is in the future, upgrade to 10 GB on the new group.
The question is if we create a new group to the PS6100VX, is it necessary to have a new iscsi LAN with a different IP subnet or can we use the same subnet 192.168.0.0/24 as PS 6000 are on?
You can stay on the same subnet. Your switch is the limiting factor.
-
Directly connected to the same subnet - still get 2 hops?
I changed the ip numbers in this example of those public to the private sector
| IP switch of the provider: 192.168.0.162/29. ------ | Reference Dell 6248 ip: 192.168.0.164/29 | ------ | Halon SX 200 ip: 192.168.0.166/29 |
A Halon router for ip tracetroute: 192.168.0.163 says:
1 192.168.0.164
2 192.168.0.163
Should not go directly to 192.168.0.163 with 1 jump? Am I missing something here?
I've implemented a quagga and two HP Procurve 2626 router and could not reproduce the problem.
Does anyone know if I'm missing something? In theory I should be able to simply get 1 jump to one IP address on the same subnet - right? Feels like the Dell switch made unnecessary routing...
-
General question about the connections of 3DES side2side ASA
Hello I have a question for a project:
We have an office outside our main building is connected via a connection to radio waves of 34 MB and a 10 MB darkfiber.today the radiowaveconnection is not secured and the client wants a 3des encryption and that he will use 2 ASA5510.there are also the 2 questions:
I have a connections between eigrp process running and I know that the asa cannot deliver this protocol.so can I use the asa in transparent mode only for encryption or as side2side connection?
She I the first time I work with the ASA so any help is appreciated.
concerning
Klaus
This document describes how to use the Cisco Adaptive Security Device Manager (ASDM) to configure the Cisco 5500 Series Adaptive Security Appliance (ASA) to act as a remote VPN server. The ASDM provides the safety management of world class and through a Web management interface that is intuitive and easy to use. Once the Cisco ASA configuration is complete, it can be verified by using the Cisco VPN Client.
http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a008060f25c.shtml
-
I use tabbed browsing all the time. When I open a tab of a Web site that poses a problem, freezing Firefox (but not the computer), I find that I can delete the Firefox problem only by restarting the computer. I am so appalled to find that Firefox then tries to recreate the same set of tabs that caused the problem in the first place, causing Firefox freeze again. Usually I can get it out by closing Firefox and very long wait for Firefox to close completely so that it can be restarted again.
This problem occurs in version 4.0 as well as in the latest version of 3 that I had. I remember that in some versions previous Firefox asks if you want to recreate your tabs or open in a new browser window. I always took the second option. This choice is no longer makes its appearance.
Set the pref browser.sessionstore.max_resumed_crashes to 0 on the about: config to get page the on: sessionrestore page immediately with the first reboot after a failure has occurred or the Task Manager was used for the closing of Firefox.
Which allows to deselect the tabs that you do not want to reopen, but will reopen the other tabs.
See:- http://KB.mozillazine.org/Session_Restore#Restoring_a_session_after_a_crash
- http://KB.mozillazine.org/browser.sessionstore.max_resumed_crashes
To open the topic: config page, type Subject: config in the address bar (address) and press the 'Enter' key, as you type the url of a Web site to open a Web site.
If you see a warning then you can confirm that you want to access this page.
You can use the filter at the top bar of the on: page config to more easily spot a pref. -
Secondary ASA with IP transparent mode on the router
Hello
I have
Router - ASA (Transparent) - switch
and wonder if it is possible to configure the secondary IP on the interface of the router that is connected to the ASA
So there is plenty of room in terms of range of LAN IP addresses.
Or do I have to implement this, change ASA in context mode and to change the configuration on the SAA?
hope I don't have to change anything on the SAA.
Thank you
ASA mode transparant works as L2 device
so, what ever u ips use dosent matter
u don't need to change anything in the ASA where the mod transperant
But beware of what is allowed to be passed through the firewall
It can be controlled by ACL
the router and switch you will be OPERAT in L3 as your connected directly or nothing between them of three routing and layer perspective
so they must be in the same subnet VLANS, and so on
good lcuk
Please, if useful rates
-
Why UAC (and what) are required for Protected Mode work
Why UAC (and what) are required for Protected Mode work?
Hi Leonard Santiago,
User Account Control (UAC) is a feature in Windows that can help prevent your computer from unauthorized changes.
You can check out the following link and check if it helps:
What is user account control?
http://Windows.Microsoft.com/en-us/Windows-Vista/what-is-user-account-control
What does Internet Explorer protected mode?
http://Windows.Microsoft.com/en-us/Windows-Vista/what-does-Internet-Explorer-protected-mode-do
Hope this information is useful.
-
VPN site to Site - ASA to PIX - same subnet on the inside
Chaps,
I have a unusual scenario, whereby case I need a tunnel vpn site-to-site between a pix of cisco version 7 and version 8 cisco asa, which have the same subnet ip to each endpoint. Is it possible to create such a tunnel from site to site or do I change one of the remote endpoints?
Thank you
Nick
Hi Nicolas,.
To allow the traffic through the tunnel when having the same at both ends addressing scheme, you should NAT VPN traffic.
That is to say.
Site a 10.1.1.0/24 LAN
Site B LAN 10.1.1.0/24
The site config:
NAT permit list to access ip 10.1.1.0 255.255.255.0 192.168.2.0 255.255.255.0
(in, out) static 192.168.1.0 access-list NAT
license of crypto list to access ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0
Site B config:
NAT permit list to access ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0
(in, out) static 192.168.2.0 access-list NAT
license of crypto list to access ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0
The idea is that Site A will to 192.168.1.0 translatefd when you go to Site B, and Site B will result to 192.168.2.0 when you go to the Site A.
Hope that makes sense.
Federico.
Maybe you are looking for
-
Bing and something called sweet packs
My Firefox shortcut seems fine but when I click it, the page is Bing and the address bar is "sweetpacks" instead of Firefox. I can't seem to change it or to return to a normal page of Firefox. What is going on?
-
Hi, the other day I was on the pc and everything was fine. last night I turned it back and it was black I tried to do a system restore but its still black Thanks for any help
-
Why it's start to appear when I get new updates. ?
I click on the button set to day and when I restart message is beginning to apear:"There is an IP address conflict with another system on the network"Help, please! What should do?
-
a user account that has just been deleted can be retrieved. Vista Windows
A friend was on my computer and by chance (I guess), it has deleted one of my 2 user accounts. ABOVE: can it be saved as well as the information that was only there. (programs games ect.) I have not stopped, and yet, there is a sweep of Defender wi
-
I have a Dell Inspiron 15. I downloaded the Syntaptics of Vista 64 bit driver for my USB PS/2 wheel mouse. I can see the system driver and it says that it is running correctly, but my mouse still does not work. The mouse was working until this mor