IP address of the PC: 192.168.10.10
Gateway (e0/0 of R): 192.168.10.1
We are going to put an ASA in between PC and Gateway, which will not change any configuration in Gateway.. This is the use case of Transparent ASA. It will not be discovered by other devices in the network.
Let's see how it is configured..
Remember to backup your configurations before changing the ASA mode from Router to Transparent as it will clear all the current configuration.
Enter the following command to change the firewall mode to Transparent.
ciscoasa(config)#firewall transparent
Create a BVI, to know more about BVIs please go here.
ciscoasa(config)#interface BVI 1
ciscoasa(config-if)#ip address 192.168.1.150 255.255.255.0
Configure inside interface grouping to the BVI,
ciscoasa(config)#int gig 0/1
ciscoasa(config-if)#security-level 100
ciscoasa(config-if)#nameif INSIDE
ciscoasa(config-if)#bridge-group 1
ciscoasa(config-if)#no shut
Configure outside interface grouping to the BVI,
ciscoasa(config)#int gig 0/0
ciscoasa(config-if)#security-level 0
ciscoasa(config-if)#nameif OUTSIDE
ciscoasa(config-if)#bridge-group 1
ciscoasa(config-if)#no shut
As soon as you enter the above commands, it will be displayed in the int ip brief output like the following..
Now the configuration is over. PC will forward the general traffic to internet via the gateway without knowing there is an ASA in between. But the icmp pings will not work until you configure your ASA to inspect them.. You can do it either by ASDM or CLI..
Following are the commands to do it in CLI,
ciscoasa(config)#policy-map global_policy
ciscoasa(config-pmap)#class inspection_default
ciscoasa(config-pmap-c)#inspect icmp
ciscoasa(config)#policy-map global_policy
ciscoasa(config-pmap)#class inspection_default
ciscoasa(config-pmap-c)#inspect icmp
Note:-
If there are switches in both sides of ASA, you will have to use Ethertype ACLs to allow BPDUs. By default ASA will not forward BPDUs..
If there are routers in both sides which uses a routing protocol like OSPF, you will have to allow multicast traffic in order to make adjacencies.
If you configured a DHCP in Gateway and PC is a DHCP client, you will have to do additional configuration in ASA to allow broadcast traffic.
You will not be able to terminate VPNs in this mode of ASA because the interfaces work as L2 interfaces..
You can view the current mode of ASA by the following command..
ciscoasa#show firewall
You can change the ASA back to routed mode by the following command..
ciscoasa(config)#no firewall transparent
If there are routers in both sides which uses a routing protocol like OSPF, you will have to allow multicast traffic in order to make adjacencies.
If you configured a DHCP in Gateway and PC is a DHCP client, you will have to do additional configuration in ASA to allow broadcast traffic.
You will not be able to terminate VPNs in this mode of ASA because the interfaces work as L2 interfaces..
You can view the current mode of ASA by the following command..
ciscoasa#show firewall
You can change the ASA back to routed mode by the following command..
ciscoasa(config)#no firewall transparent
No comments:
Post a Comment