Solved: ASA Transparent mode traffic redirection

tran.van.tien · ‎10-12-2015

Hi everyone,

I have two firewall ASA 5585X deployed in transparent mode and two catalyst 6500 VSS (core switches). I want to redirect traffic from core switches to ASA. How can i do ? I have many VLANs on core switches. Thank you./.

Rajneesh Dhiman · ‎10-13-2015

Hi Tran,

You needs to create multiple virtual interfaces for inside/outisde vlans.

Dont make both port as single trunk. You should use dedicate ports for incoming and outgoing traffic. below is example how you can permit multiple vlans using 2 ports. Attaching design for your reference:

Config Example:

Inside Interfaces for all required Vlans (10,20,30...)

Note: These Vlans(10,20,30...) should be configure as L2 inside vlans for host connectivity.

interface TenGigabitEthernet0/0
no nameif
no security-level

interface TenGigabitEthernet0/0.10
vlan 10
nameif inside1
bridge-group 1
security-level xx

interface TenGigabitEthernet0/0.20
vlan 20
nameif inside2
bridge-group 2
security-level xx

interface TenGigabitEthernet0/0.30
vlan 30
nameif inside3
bridge-group 3
security-level xx

Outside Interfaces for all required Vlans (100,200,300...)

note:These outside Vlans (100,200,300...) will be configured with L3 SVI on Core Switch

interface TenGigabitEthernet0/1
no nameif
no security-level

interface TenGigabitEthernet0/1.100
vlan 100
nameif outside1
bridge-group 1
security-level xx

interface TenGigabitEthernet0/1.200
vlan 200
nameif outside2
bridge-group 2
security-level xx

interface TenGigabitEthernet0/1.300
vlan 300
nameif outside3
bridge-group 3
security-level xx

BVI Interface config for all the allowed Vlans (100,200,300)

interface BVI1
ip address 192.168.10.9 255.255.255.0 standby 192.168.10.10

interface BVI2
ip address 192.168.20.9 255.255.255.0 standby 192.168.20.10

interface BVI3
ip address 192.168.30.9 255.255.255.0 standby 192.168.30.10

Thanks

Rajneesh

View solution in original post

pokemon284 · ‎10-13-2015

a có biết NAT DNS trên ASA ko ạ???

Rajneesh Dhiman · ‎10-13-2015

Hi Tran,

In transparent mode of Firewall, you needs to create bridge groups to the vlans at both (in/out) side of firewall.

Example: Configuration on Inside/outside interfaces:

interface TenGigabitEthernet0/6

    vlan 20
    nameif inside
    bridge-group 1
    security-level 100

interface TenGigabitEthernet0/7

    vlan 30
    nameif outside
    bridge-group 1
    security-level 0

Now please configure "BVI" interface with one IP from the same IP Subnet for which you want to pass traffic through firewall:

interface BVI1

ip address 192.168.10.9 255.255.255.0 standby 192.168.10.10 (any free IP can be assigned from subnet)

Now, please allow interested traffic on ouside Interface via access-list. This will redirect traffic through transparent firewall.

tran.van.tien · ‎10-13-2015

Thank you for your answer,

Let i show you a picture that describes my problem. I have core switches with many VLANs (10,20,30 for example) and i have just purchased 2 ASA 5585X witch 2 port 10Gb. I will connect it to core switches by using trunk links. I want to know how to redirect traffic to ASA with 2 ports and many VLANS. With the solution you suggest i must have many ports :)

Rajneesh Dhiman · ‎10-13-2015

Hi Tran,

You needs to create multiple virtual interfaces for inside/outisde vlans.

Dont make both port as single trunk. You should use dedicate ports for incoming and outgoing traffic. below is example how you can permit multiple vlans using 2 ports. Attaching design for your reference:

Config Example:

Inside Interfaces for all required Vlans (10,20,30...)

Note: These Vlans(10,20,30...) should be configure as L2 inside vlans for host connectivity.

interface TenGigabitEthernet0/0
no nameif
no security-level

interface TenGigabitEthernet0/0.10
vlan 10
nameif inside1
bridge-group 1
security-level xx

interface TenGigabitEthernet0/0.20
vlan 20
nameif inside2
bridge-group 2
security-level xx

interface TenGigabitEthernet0/0.30
vlan 30
nameif inside3
bridge-group 3
security-level xx

Outside Interfaces for all required Vlans (100,200,300...)

note:These outside Vlans (100,200,300...) will be configured with L3 SVI on Core Switch

interface TenGigabitEthernet0/1
no nameif
no security-level

interface TenGigabitEthernet0/1.100
vlan 100
nameif outside1
bridge-group 1
security-level xx

interface TenGigabitEthernet0/1.200
vlan 200
nameif outside2
bridge-group 2
security-level xx

interface TenGigabitEthernet0/1.300
vlan 300
nameif outside3
bridge-group 3
security-level xx

BVI Interface config for all the allowed Vlans (100,200,300)

interface BVI1
ip address 192.168.10.9 255.255.255.0 standby 192.168.10.10

interface BVI2
ip address 192.168.20.9 255.255.255.0 standby 192.168.20.10

interface BVI3
ip address 192.168.30.9 255.255.255.0 standby 192.168.30.10

Thanks

Rajneesh

tran.van.tien · ‎10-14-2015

Thank you Rajneesh!

JRGC · ‎10-19-2015

Hi Tran Van,

I have the same configurations but I can't to do PING between different Vlans only can to do PING between the same network or the same vlan.

Regards,

tran.van.tien · ‎10-20-2015

Hi jrgonzalezz,

Please check your core switches because it performs routing ;)

Andre Neethling · ‎10-13-2015

When you say "redirect", what do you mean? Do you want to use the ASA as your client gateway? What role do you want the ASAs to perform? Do you want specific access policies for each VLAN? Please explain?