ASA in transparent mode

Dieselboy · August 01, 2017, 01:20:07 AM

I am thinking of setting up an ASA 5506 with firepower in transparent mode, so that it can be slipped in-line between an existing IOS router / firewall and internal network. I've not used transparent mode before. I tried to create BVI using the same subnet as what I had on the management interface but of course this doesn't work as the ASA doesn't support VRF's

Does anyone have any words of advice for me when using transparent mode? Is there any "gotcha's" I should be aware of?

Dieselboy · August 01, 2017, 03:45:05 AM

One thing I am unsure of: If I drop this ASA in-line in transparent mode, between a router and a switch and the router has subinterfaces for 802.1Q VLANs and the switch has a trunk port, does the ASA pass them normally?

Dieselboy · August 01, 2017, 07:22:48 AM

I done some digging and it looks like I need to add subinterfaces, with .1q vlans and place the associated vlan and subinterfaces into the relevant bridge groups. Will test it out

dlots · August 01, 2017, 08:24:57 AM

I haven't done transparent mode in quite some time and that was on a 6509 FWSM so take this with a grain of salt. The way that worked was it was pure Layer 2, and you had 2 vlans, an in vlan and an out vlan.
vlan 501 Outside
vlan 1501 Inside

(Server)==vlan1501===(FW)==vlan501==(DFGW router)

It worked pretty much the same as STP, with the FW moving traffic between vlans.
servers on vlan 1501 could talk unencumbered to one another.

I am pretty sure you can't do VPN on a router that is in transparent mode.

you might also look at fail over, I think something was odd about that also.

Dieselboy · August 01, 2017, 09:37:20 PM

Thanks mate, I am still getting to grasps with this but looks like your post is still current. I was hoping to minimise network changes on site and drop this inline between the existing upstream router and core switch.

PS the VPN feature I lose with transparent mode will be taken care of by the upstream router

Thanks for the diagram. Very helpful. So it looks like for me to do that I have two options. Either change the VLANs on the core switch (like what you've done with vlan 1501) OR change the VLANs on the upstream router. As I'm not going to site, I will probably do this on the upstream router because I'll have access to that remotely and don't want to risk losing connection to the switch. Been a long time since I last used kron

I understand now why you need to bridge 2 VLANs to make this work.

Dieselboy · August 01, 2017, 11:26:49 PM

I have this all working now (thanks dlots!)

Basically bridging 2 VLANs with the ASA sitting in the middle.

Each VLAN has its own bridge group
Real VLAN ID towards core switch
New VLAN ID towards upstream router
Subinterfaces on the ASA specifying the VLAN and the bridge group

Initially the SFR was not working as the ASA was not sending packets to the module even though it was configured to do so within the policy. I couldn't figure it out, even rebooted the unit but of course that didn't work either. Started logging a case and generated the troubleshooting files from FMC for the unit. Then, magically it all started working! I am wondering if the troubleshooting files causes something to trigger or reset in the SFR module.

Dieselboy · August 02, 2017, 06:49:42 AM

I ran into a bit of a problem

Basically I have a base license which is limited to five VLANs. I have four VLANs I need to protect so no problem, right? Well because of how the transparent mode works I need to use a bridge group per VLAN which needs two VLANs (one for the LAN side and one for the WAN side) so that means I need a license which will allow 8 VLANs minimum.

Thinking I'll either need to set it up in routed mode or use a VRF on the existing router and then route through the ASA using a single subnet.
I'm not sure whether I can use a single bridge group interface? There may be a way that way but I read that a BVI will only work for traffic it has a subnet on. Since each of my VLANs uses a /24 which is allocated from a larger /20, could I configure a IP in the 1st /24 range and use a /20 mask on the ASA itself? Incoming packets on the LAN side of the ASA will have different VLAN tags for the different VLANs, would the ASA remove or keep the VLAN tag on the packet? I've seen an option of "secondary VLANs" in the ASDM interface config window but looking that up took me to a page describing private VLANs so it didn't seem like it would be what I was after. But it could be though, if the other VLANs on the trunk were secondary and the upstream router was promiscuous. I'll have to read up on it tomorrow. If the ASA removes the VLAN tag, then on the upstream router I could remove the subinterfaces for the VLAN tagged packets and move the IP's to a single interface for the promiscuous VLAN.

Thoughts?

Here's what I can find on the Cisco doc about secondary VLANs:

QuoteWhen the ASA receives traffic on the secondary
VLANs, it maps it to the primary VLAN.

dlots · August 02, 2017, 08:51:05 AM

I am not sure, I really don't do much with transparent FWs.

Sorry

Dieselboy · August 03, 2017, 10:33:10 PM

I raised a TAC for this and the engineer said this should work; he's going to lab it up for me.

deanwebb · August 04, 2017, 01:53:05 PM

Quote from: Dieselboy on August 03, 2017, 10:33:10 PM

I raised a TAC for this and the engineer said this should work; he's going to lab it up for me.

So he's all like