Why ASA in transparent mode require same subnet ip to that of the connected network

Similar Questions

• Cisco ASA 55XX Transparent mode through a VLAN

  Hello team Cisco Forum!

  In a scenario where the Cisco ASA is in Transparent mode, it is possible to route the traffic of L2 other VLAN different that the VLAN native IP for the firewall management lies?

  Switches on the outside and the inside of the interfaces of the SAA are in trunk mode, and I'm moving ttraffic VLAN L2 from inside to outside and vice versa by using filters on switches (switchport trunk allowed vlan).

  Thank you in advanced for your support and comments!

  Yes it is possible, but you will be limited to 8 VLAN, or more precisely, 8 interfaces BVI so it's not a scalable solution.  The problem is that you will need to have different VLANS to the same subnet at both ends of the SAA.

  To clarify this point, lets say, you use the interface Gig0/1 and Gig0/2.  Gig0/1, you would set up subinterfaces with VLAN 2, 3 and 4.  Now, if you try to configure the same VLAN on Gig0/2, you will get an error saying something like this VLAN is already configured on another interface. I don't remember the exact error.

  So to get this working, you need to configure Gig0/2 with subinterfaces for VLAN... lets say... 5, 6 and 7.  you would then associate VLAN 2 and 5 with BVI 1, VLAN 3 and 6 with 2 Virgin Islands British and VLAN 4 and 7 with 3 British Virgin Islands.  Each interface BVI would have its own IP address for the subnet on which is to be filled in all of the ASA.

  --

  Please do not forget to select a correct answer and rate useful posts

• ASA in transparent mode with LAN base active failover / standby?

  Is it possible to have a pair of the SAA in transparent mode with LAN-based failover active / standby? I configured the portion of failover and then configured the transparent mode and it erased my failover configuration. Is this supported configuration, and if so are there at - it an example?

  Thanks in advance

  Yes. It is possible to have a pair of ASA in transparent mode with LAN-based failover active/Standy. You must perform the configuration of failover after conversion of the appliance in transparent mode.

  I saw an example on the cisco site, but I'll give you an example of one of the projects I run. Infact its very easy to configure failover in transparent mode. Less work.

  I have listed the configs on both the firewall for your reference

  Main firewall

  ============

  interface GigabitEthernet0/0

  nameif outside

  security-level 0

  No tap

  !

  interface GigabitEthernet0/1

  nameif inside

  security-level 100

  No tap

  !

  interface GigabitEthernet0/2

  Shutdown

  No nameif

  no level of security

  !

  interface GigabitEthernet0/3

  Failover LAN Interface Description

  !

  192.168.9.2 IP address 255.255.255.0 watch 192.168.9.7

  failover

  primary failover lan unit

  local failover FAILINT GigabitEthernet0/3 network interface

  failover abcdef keys

  failover interface ip FAILINT 172.16.9.1 255.255.255.0 watch 172.16.9.7

  The secondary firewall

  =================

  failover

  secondary failover lan unit

  local failover FAILINT GigabitEthernet0/3 network interface

  failover abcdef keys

  failover interface ip FAILINT 172.16.9.1 255.255.255.0 watch 172.16.9.7

  int GigabitEthernet0/3

  No tap

  Hope the above helps.

• ASA 5505 transparent mode dosnt pass traffic

  Hi all

  need help

  ASA 5505 do not pass traffic as a cordon of brewing, how do you get traffic?

  ciscoasa # sh ver

  Cisco Adaptive Security Appliance Version 8.2 software (5)

  Version 6.4 Device Manager (5)

  Updated Saturday, May 20, 11 16:00 by manufacturers

  System image file is "disk0: / asa825 - k8.bin.

  The configuration file to the startup was "startup-config '.

  ciscoasa until 55 minutes 31 seconds

  Material: ASA5505, 512 MB RAM, 500 MHz Geode Processor

  Internal ATA Compact Flash, 128 MB

  BIOS Flash Firmware Hub @ 0xffe00000, 1024 KB

  Hardware encryption device: Cisco ASA-5505 Accelerator Board (revision 0 x 0)

  Start firmware: CN1000-MC-BOOT - 2.00

  SSL/IKE firmware: CNLite-MC-Smls-PLUS - 2.03

  Microcode IPSec:-CNlite-MC-IPSECm-HAND - 2.05

  0: Int: internal-Data0/0: the address is e4d3.f193.9486, irq 11

  1: Ext: Ethernet0/0: the address is e4d3.f193.947e, irq 255

  2: Ext: Ethernet0/1: the address is e4d3.f193.947f, irq 255

  3: Ext: Ethernet0/2: the address is e4d3.f193.9480, irq 255

  4: Ext: Ethernet0/3: the address is e4d3.f193.9481, irq 255

  5: Ext: Ethernet0/4: the address is e4d3.f193.9482, irq 255

  6: Ext: Ethernet0/5: the address is e4d3.f193.9483, irq 255

  7: Ext: Ethernet0/6: the address is e4d3.f193.9484, irq 255

  8: Ext: Ethernet0/7: the address is e4d3.f193.9485, irq 255

  9: Int: internal-Data0/1: the address is 0000.0003.0002, irq 255

  10: Int: not used: irq 255

  11: Int: not used: irq 255

  The devices allowed for this platform:

  The maximum physical Interfaces: 8

  VLAN: 3, restricted DMZ

  Internal guests: 10

  Failover: disabled

  VPN - A: enabled

  VPN-3DES-AES: enabled

  SSL VPN peers: 2

  The VPN peers total: 10

  Double ISP: disabled

  Junction ports VLAN: 0

  Sharing license: disabled

  AnyConnect for Mobile: disabled

  AnyConnect Cisco VPN phone: disabled

  AnyConnect Essentials: disabled

  Assessment of Advanced endpoint: disabled

  Proxy sessions for the UC phone: 2

  Total number of Sessions of Proxy UC: 2

  Botnet traffic filter: disabled

  This platform includes a basic license.

  Registry configuration is 0x1

  Modified configuration of enable_15 to 20:34:47.689 UTC Wednesday 5 December 2012

  ciscoasa #.

  ciscoasa #.

  ciscoasa # sh run

  : Saved

  :

  ASA Version 8.2 (5)

  !

  transparent firewall

  ciscoasa hostname

  activate 8eeGnt0NEFObbH6U encrypted password

  2KFQnbNIdI.2KYOU encrypted passwd

  names of

  !

  I haventerface Ethernet0/0

  switchport access vlan 2

  !

  interface Ethernet0/1

  !

  interface Ethernet0/2

  Shutdown

  !

  interface Ethernet0/3

  Shutdown

  !

  interface Ethernet0/4

  Shutdown

  !

  interface Ethernet0/5

  Shutdown

  !

  interface Ethernet0/6

  Shutdown

  !

  interface Ethernet0/7

  Shutdown

  !

  interface Vlan1

  nameif inside

  security-level 100

  !

  interface Vlan2

  nameif outside

  security-level 0

  !

  passive FTP mode

  outs_in of access allowed any ip an extended list

  outs_in list extended access permit icmp any one

  pager lines 24

  Within 1500 MTU

  Outside 1500 MTU

  no ip address

  ICMP unreachable rate-limit 1 burst-size 1

  don't allow no asdm history

  ARP timeout 14400

  outs_in access to the interface inside group

  Access-group outs_in in interface outside

  Timeout xlate 03:00

  Timeout conn 01:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

  Sunrpc timeout 0:10:00 h323 0:05:00 h225 mgcp from 01:00 0:05:00 mgcp-pat 0:05:00

  Sip timeout 0:30:00 sip_media 0:02:00 prompt Protocol sip-0: 03:00 sip - disconnect 0:02:00

  Timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

  timeout tcp-proxy-reassembly 0:01:00

  Floating conn timeout 0:00:00

  dynamic-access-policy-registration DfltAccessPolicy

  No snmp server location

  No snmp Server contact

  Server enable SNMP traps snmp authentication linkup, linkdown cold start

  life crypto ipsec security association seconds 28800

  Crypto ipsec kilobytes of life - safety 4608000 association

  Telnet timeout 5

  SSH timeout 5

  Console timeout 0

  a basic threat threat detection

  Statistics-list of access threat detection

  no statistical threat detection tcp-interception

  !

  class-map inspection_default

  match default-inspection-traffic

  !

  !

  type of policy-card inspect dns preset_dns_map

  parameters

  maximum message length automatic of customer

  message-length maximum 512

  Policy-map global_policy

  class inspection_default

  inspect the preset_dns_map dns

  inspect the ftp

  inspect h323 h225

  inspect the h323 ras

  inspect the rsh

  inspect the rtsp

  inspect esmtp

  inspect sqlnet

  inspect the skinny

  inspect sunrpc

  inspect xdmcp

  inspect the sip

  inspect the netbios

  inspect the tftp

  Review the ip options

  !

  global service-policy global_policy

  context of prompt hostname

  no remote anonymous reporting call

  Cryptochecksum:234e9b9c6c9c941a89e37011325b6d5e

  : end

  ciscoasa #.

  ciscoasa #.

  ciscoasa #.

  ciscoasa # sh - access list

  access cached list the ACL log stream: total 0, 0 (deny-flow-max 4096) denied

  alert interval 300

  outs_in list of access; 2 elements; hash name: 0xd6c65ba5

  permit for access list 1 outs_in line ip scope any a (hitcnt = 0) 0x7d210842

  allowed to Access-list outs_in line 2 extended icmp any a (hitcnt = 0) 0x5532fcc5

  ciscoasa #.

  Hello

  Exactly... Good to know it works now.

  Do you know why he needs the IP address (such as a transparent firewall)?

  The ASA will act as a transparent layer 2 on the right device to the network, but what happens when the ASA does not have a particular destination mac address... What would be the source ip address of the package? Ip address of the ASA. So that's the main reason why we need that.

  We use it also for traffic management and for AAA services (if authentication is used the ASA will send the AAA authentication request to the server) with the IP address of this source.

  Please check the question as answered, so future users can pull of this

  Julio Carvajal

  Costa Rica

• ASA between two buildings W / different subnets. How to extend the network?

  I have two buildings with two different networks. Users to build one want to be on the network to build two. Standard range of course will not work if I should put two ASA both buildings and the [IPSEC] VPN between the buildings, extension of the network? Will this work? If so, where are the commands in the Guide of Config ASA?

  Thank you... If you can get this for me very fast.

  Matt

  Matt, a litle more information would help every building completely separate in terms of connectivity physical any fiber between them, are are the two buildings of the same company? everyone has his own Internet access provider?

  If there is no connectivity between them that the internet and if each building has its own ISP is therefore assumes that there is already a firewall, if that's the case, you can implement vpn L2L and connect the two networks via Ipsec via internet.

  Here's a typical scenario

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a0080950890.shtml

  Rgds

  Jorge

  PLS note any useful message

• Want the link to open the mode required EAS IN WEb and details of the Java API

  Want the link to open the EAS IN WEb mode as well as the details of the Java APIs necessary to get to the top and running.
  Please provide the response if known.
  Thank you.

  Hello

  To connect to EAS on the web, it is http://: 10080/easconsole/console.html
  You should not have any API details make you just as you have a JRE installed, preferably a version 1.5

  See you soon

  John
  http://John-Goodwin.blogspot.com/

• transparent mode with AIP-SSM-20

  I currently have an ASA5510 routed with AIP-SSM-20 mode.

  It is necessary to use a connection in optical fiber between the ASA and ASA on the campus, so the AIP - SSM will need to be removed and replaced by the SSM - 4GE.  This section should present no problems.

  However, this will remove the IPS device, and I always want to use IPS.

  So what I think is to get another ASA5510, install the AIP - SSM, configure ASA for transparent and put it between the inside of the ASA routed and my local network.  The ASA transparent would be strictly works in the form of an IPS appliance.

  The installation program should look like this:

  Internal LAN <> ASA transparent with IPS <> routed ASA <> WAN

  The AIP - SSM can always perform with the ASA in transparent mode IPS?

  Is it possible to configure the ASA and AIP - SSM such as traffic to and from a particular server completely ignores the AIP - SSM?

  I have a couple of file servers which generate heavy traffic and can overload the AIP - SSM.

  Kind regards.

  AFAIR, it is no installation AIP in a transparent firewall problem.

  "The SAA in transparent mode can execute an agreement in principle.  In the event that the AIP fails,

  the IPS will fail-open and the ASA will continue to pass traffic.
  
  However, if an interface or cable fails, then traffic will stop.  You
  
  would need a failover pair to account for this failure event, which
  
  means another ASA and matching AIP."
  
  

  And no there is no problem to exclude certain hosts/ports/subnets inspection by IPS via MPF.

  http://www.Cisco.com/en/us/docs/security/ASA/asa82/configuration/guide/IPS.html#wp1050744

  What I consider however is however if the ASA 5510 as second level firewall for 5520 s will be enough.

  http://www.Cisco.com/en/us/products/ps6120/prod_models_comparison.html

  HTH,

  Marcin

• VPN in transparent mode

  Hello

  Is it possible to run IPSEC and SSL VPN (without customer or anycoonet) while ASA in Transparent mode remotely? All NAT/PAT is the router before the ASA.

  If so, any example config would be appreciated.

  Reg,

  Sushil

  No, is VPN IPSEC or SSL are not supported when the ASA is in transparent mode.

  Here is the URL for your reference:

  http://www.Cisco.com/en/us/docs/security/ASA/asa82/configuration/guide/fwmode.html#wp1222826

• Eql different groups on the same subnet

  Hello

  Quick question...

  We have a PS6000 four in a group of storage in an iscsi network 192.168.0.0/24. We have now bought two PS6100XV and think about maybe create another group of storage for the new boxes eql. The reason is in the future, upgrade to 10 GB on the new group.

  The question is if we create a new group to the PS6100VX, is it necessary to have a new iscsi LAN with a different IP subnet or can we use the same subnet 192.168.0.0/24 as PS 6000 are on?

  You can stay on the same subnet.   Your switch is the limiting factor.

• Directly connected to the same subnet - still get 2 hops?

  I changed the ip numbers in this example of those public to the private sector

  | IP switch of the provider: 192.168.0.162/29. ------ | Reference Dell 6248 ip: 192.168.0.164/29 | ------ | Halon SX 200 ip: 192.168.0.166/29 |

  A Halon router for ip tracetroute: 192.168.0.163 says:

  1 192.168.0.164

  2 192.168.0.163

  Should not go directly to 192.168.0.163 with 1 jump? Am I missing something here?

  I've implemented a quagga and two HP Procurve 2626 router and could not reproduce the problem.

  Does anyone know if I'm missing something? In theory I should be able to simply get 1 jump to one IP address on the same subnet - right? Feels like the Dell switch made unnecessary routing...

  
  

• General question about the connections of 3DES side2side ASA

  Hello I have a question for a project:

  We have an office outside our main building is connected via a connection to radio waves of 34 MB and a 10 MB darkfiber.today the radiowaveconnection is not secured and the client wants a 3des encryption and that he will use 2 ASA5510.there are also the 2 questions:

  I have a connections between eigrp process running and I know that the asa cannot deliver this protocol.so can I use the asa in transparent mode only for encryption or as side2side connection?

  She I the first time I work with the ASA so any help is appreciated.

  concerning

  Klaus

  This document describes how to use the Cisco Adaptive Security Device Manager (ASDM) to configure the Cisco 5500 Series Adaptive Security Appliance (ASA) to act as a remote VPN server. The ASDM provides the safety management of world class and through a Web management interface that is intuitive and easy to use. Once the Cisco ASA configuration is complete, it can be verified by using the Cisco VPN Client.

  http://www.Cisco.com/en/us/products/ps6120/products_configuration_example09186a008060f25c.shtml

• When Firefox crashes and restart is necessary, Firefox always try to open the same tabs that caused the failure before.

  I use tabbed browsing all the time. When I open a tab of a Web site that poses a problem, freezing Firefox (but not the computer), I find that I can delete the Firefox problem only by restarting the computer. I am so appalled to find that Firefox then tries to recreate the same set of tabs that caused the problem in the first place, causing Firefox freeze again. Usually I can get it out by closing Firefox and very long wait for Firefox to close completely so that it can be restarted again.

  This problem occurs in version 4.0 as well as in the latest version of 3 that I had. I remember that in some versions previous Firefox asks if you want to recreate your tabs or open in a new browser window. I always took the second option. This choice is no longer makes its appearance.

  Set the pref browser.sessionstore.max_resumed_crashes to 0 on the about: config to get page the on: sessionrestore page immediately with the first reboot after a failure has occurred or the Task Manager was used for the closing of Firefox.

  Which allows to deselect the tabs that you do not want to reopen, but will reopen the other tabs.
  
  See:

  • http://KB.mozillazine.org/Session_Restore#Restoring_a_session_after_a_crash
  • http://KB.mozillazine.org/browser.sessionstore.max_resumed_crashes

  To open the topic: config page, type Subject: config in the address bar (address) and press the 'Enter' key, as you type the url of a Web site to open a Web site.
  
  If you see a warning then you can confirm that you want to access this page.
  
  You can use the filter at the top bar of the on: page config to more easily spot a pref.

• Secondary ASA with IP transparent mode on the router

  Hello

  I have

  Router - ASA (Transparent) - switch

  and wonder if it is possible to configure the secondary IP on the interface of the router that is connected to the ASA

  So there is plenty of room in terms of range of LAN IP addresses.

  Or do I have to implement this, change ASA in context mode and to change the configuration on the SAA?

  hope I don't have to change anything on the SAA.

  Thank you

  ASA mode transparant works as L2 device

  so, what ever u ips use dosent matter

  u don't need to change anything in the ASA where the mod transperant

  But beware of what is allowed to be passed through the firewall

  It can be controlled by ACL

  the router and switch you will be OPERAT in L3 as your connected directly or nothing between them of three routing and layer perspective

  so they must be in the same subnet VLANS, and so on

  good lcuk

  Please, if useful rates

• Why UAC (and what) are required for Protected Mode work

  Why UAC (and what) are required for Protected Mode work?

  Hi Leonard Santiago,

  User Account Control (UAC) is a feature in Windows that can help prevent your computer from unauthorized changes.

  You can check out the following link and check if it helps:

  What is user account control?

  http://Windows.Microsoft.com/en-us/Windows-Vista/what-is-user-account-control

  What does Internet Explorer protected mode?

  http://Windows.Microsoft.com/en-us/Windows-Vista/what-does-Internet-Explorer-protected-mode-do

  Hope this information is useful.

• VPN site to Site - ASA to PIX - same subnet on the inside

  Chaps,

  I have a unusual scenario, whereby case I need a tunnel vpn site-to-site between a pix of cisco version 7 and version 8 cisco asa, which have the same subnet ip to each endpoint.  Is it possible to create such a tunnel from site to site or do I change one of the remote endpoints?

  Thank you

  Nick

  Hi Nicolas,.

  To allow the traffic through the tunnel when having the same at both ends addressing scheme, you should NAT VPN traffic.

  That is to say.

  Site a 10.1.1.0/24 LAN

  Site B LAN 10.1.1.0/24

  The site config:

  NAT permit list to access ip 10.1.1.0 255.255.255.0 192.168.2.0 255.255.255.0

  (in, out) static 192.168.1.0 access-list NAT

  license of crypto list to access ip 192.168.1.0 255.255.255.0 192.168.2.0 255.255.255.0

  Site B config:

  NAT permit list to access ip 10.1.1.0 255.255.255.0 192.168.1.0 255.255.255.0

  (in, out) static 192.168.2.0 access-list NAT

  license of crypto list to access ip 192.168.2.0 255.255.255.0 192.168.1.0 255.255.255.0

  The idea is that Site A will to 192.168.1.0 translatefd when you go to Site B, and Site B will result to 192.168.2.0 when you go to the Site A.

  Hope that makes sense.

  Federico.