There are a lot of changes in transparent mode in comparison to old version of firmware but lets start from the beginning.
The basic concepts in new ASA transparent mode(8.4>=) are:
- Bridge-group traffic is isolated from other bridge-group.
- Traffic is not routed to other bridge-group within ASA.
- Traffic must exit ASA before it is routed back by external router to different bridge-group.
- Each bridge-group requires IP address for management purposes and for passing traffic through ASA.
- Each bridge-group can consist up to 4 interfaces.
- Each interface must have security level.
- By default all interfaces and subinterfaces uses burned-in mac addresses.
- Traffic flow rules are as on normal ASA,e.g. :
– by default traffic from higher secuirty level to lower security level is allowed.
– by default traffic from lower security level to higher security level is denied.
– http and https filtering is outbound only(from higher to lower)
– traffic on the same security level are allowed in both direction(same inter…..)
How to configure ASA in transparent mode:
- First change firewall mode on ASA firewall to transparent and reload firewall.
ASA1(config)# firewall transparent
- Configure bridge group
ASA1(config)# interface BVI 100
BVI can be from 1 to 100
ASA1(config-if)# ip address 192.168.145.70 255.255.255.0
ASA1(config-if)# description Bridge-Group 100
ASA1(config-if)# exit
Ip address for management purposes. DO NOT use subnet /32 and other with less than 3 hosts IP because ASA drops ARP packets from first and last ip in subnet.
- Assign interfaces to Bridge-group
ASA1(config)# interface gigabitEthernet 0
ASA1(config-if)# bridge-group 100
ASA1(config-if)# nameif outside
INFO: Security level for “outside” set to 0 by default.
ASA1(config-if)# no shutdown
ASA1(config-if)# exit
Configure security level if not automatically set.
ASA1(config)# interface gigabitEthernet 1
ASA1(config-if)# bridge-group 100
ASA1(config-if)# nameif inside
INFO: Security level for “inside” set to 100 by default.
ASA1(config-if)# no shutdown
ASA1(config-if)# exit
Configure security level if not automatically set.
ASA1(config)# interface gigabitEthernet 2
ASA1(config-if)# bridge-group 100
ASA1(config-if)# nameif dmz
INFO: Security level for “inside” set to 0 by default.
ASA1(config-if)#security-level 50
ASA1(config-if)# no shutdown
ASA1(config-if)# exit
Configure security level if not automatically set.
- Verify configuration
show bridge-group and show interface bridge-group 100
show interface ip brief
show nameif
- Verify connectivity between interfaces
– from R2 to interface bridge-group 100
– from R2 to R1(from higher security level to lower security level)
WARNING! Ping only works when ICMP inspection is enabled in service-policy. Better to test via telnet.
– from R1 to interface bridge-group 100
– from R1 to R2 (traffic has to be dropped by ASA)
– ping from R1 to server in DMZ (traffic has to be dropped by ASA)
– telnet from R1 to R2 (traffic has to be dropped by ASA)
– telnet from DMZ to R1 (traffic is allowed)
– telnet from DMZ to R2 (traffic has to be dropped by ASA)
This manual was written based on ASA 5520 and shows how to configure and how ASA works by default in transparent mode in 8.4 >= firmware.
Please tune your configuration based on your requirements.
If you need commercial support please send a request via email.