ASA – Firewall in transparent mode – 8.4 and higher

There are a lot of changes in transparent mode in comparison to old version of firmware but lets start from the beginning.

The basic concepts in new ASA transparent mode(8.4>=) are:

 

  1. Bridge-group traffic is isolated from other bridge-group.
  2. Traffic is not routed to other bridge-group within ASA.
  3. Traffic must exit ASA before it is routed back by external router to different bridge-group.
  4. Each bridge-group requires IP address for management purposes and for passing traffic through ASA.
  5. Each bridge-group can consist up to 4 interfaces.
  6. Each interface must have security level.
  7. By default all interfaces and subinterfaces uses burned-in mac addresses.
  8. Traffic flow rules are as on normal ASA,e.g. :

– by default traffic from higher secuirty level to lower security level is allowed.

– by default traffic from lower security level to higher security level is denied.

– http and https filtering is outbound only(from higher to lower)

– traffic on the same security level are allowed in both direction(same inter…..)

 

transparet84-01.png

 

How to configure ASA in transparent mode:

 

  • First change firewall mode on ASA firewall to transparent and reload firewall.

 

ASA1(config)# firewall transparent

 

  • Configure bridge group

ASA1(config)# interface BVI 100

BVI can be from 1 to 100

ASA1(config-if)# ip address 192.168.145.70 255.255.255.0

ASA1(config-if)# description Bridge-Group 100

ASA1(config-if)# exit

 

Ip address for management purposes. DO NOT use subnet /32 and other with less than 3 hosts IP because ASA drops ARP packets from first and last ip in subnet. 

 

  • Assign interfaces to Bridge-group

 

ASA1(config)# interface gigabitEthernet 0

ASA1(config-if)# bridge-group 100

ASA1(config-if)# nameif outside
INFO: Security level for “outside” set to 0 by default.

ASA1(config-if)# no shutdown
ASA1(config-if)# exit

Configure security level if not automatically set.

 

ASA1(config)# interface gigabitEthernet 1

ASA1(config-if)# bridge-group 100

ASA1(config-if)# nameif inside
INFO: Security level for “inside” set to 100 by default.

ASA1(config-if)# no shutdown
ASA1(config-if)# exit

Configure security level if not automatically set.

 

ASA1(config)# interface gigabitEthernet 2

ASA1(config-if)# bridge-group 100

ASA1(config-if)# nameif dmz
INFO: Security level for “inside” set to 0 by default.

ASA1(config-if)#security-level 50

ASA1(config-if)# no shutdown
ASA1(config-if)# exit

Configure security level if not automatically set.

  •  Verify configuration

show bridge-group and show interface bridge-group 100

transparet84-0.png

 

transparet84-1.png

show interface ip brief

transparet84-2.png

 show nameif

transparet84-3.png

 

  •  Verify connectivity between interfaces

   – from R2 to interface bridge-group 100

transparet84-4.png

  – from R2 to R1(from higher security level to lower security level)

WARNING! Ping only works when ICMP inspection is enabled in service-policy. Better to test via telnet.

transparet84-5.png

transparet84-6.png

– from R1 to interface bridge-group 100

transparet84-7.png

– from R1 to R2 (traffic has to be dropped by ASA)

transparet84-8.png

transparet84-10.png

– ping from R1 to server in DMZ (traffic has to be dropped by ASA)

transparet84-9.png

transparet84-12.png

– telnet from R1 to R2 (traffic has to be dropped by ASA)

transparet84-13.png

transparet84-11.png

 

– telnet from DMZ to R1 (traffic is allowed)

transparet84-14.png

 

– telnet from DMZ to R2 (traffic has to be dropped by ASA)

transparet84-15.png

transparet84-16.png

 

This manual was written based on ASA 5520 and shows how to configure and how ASA works by default in transparent mode in 8.4 >= firmware.

Please tune your configuration based on your requirements.

If you need commercial support please send a request via email.