[c-nsp] Transparent ASA 5510 on a dot1q Trunk

Fred Reimer freimer at ctiusa.com
Tue Apr 8 09:17:56 EDT 2008 

On a FWSM you don't need separate contexts and can setup up to eight bridge
groups.

"If you do not want the overhead of security contexts, or want to maximize
your use of security contexts, you can configure up to eight pairs of
interfaces, called bridge groups. Each bridge group connects to a separate
network. Bridge group traffic is isolated from other bridge groups; traffic
is not routed to another bridge group within the FWSM, and traffic must exit
the FWSM before it is routed by an external router back to another bridge
group in the FWSM. Although the bridging functions are separate for each
bridge group, many other functions are shared between all bridge groups. For
example, all bridge groups share a system log server or AAA server
configuration. For complete security policy separation, use security
contexts with one bridge group in each context."

Finally one thing a FWSM does better than an ASA! (feature wise)

Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS
Senior Network Engineer
Coleman Technologies, Inc.
954-298-1697


> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of jcovini at free.fr
> Sent: Tuesday, April 08, 2008 5:11 AM
> To: Chris Riling
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Transparent ASA 5510 on a dot1q Trunk
> 
> Hi Chris,
> 
> This is feasible if you use multiple contexts in transparent mode as
> described
> here :
> http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/
> examples.html#wp1010043
> 
> Basically you define all necessary vlan subifs into the global context,
> then you
> use them as inside/outside pairs into each context. A guy called Ge
> Moua here at
> c-nsp sent me a working configuration for this a couple of months ago,
> unfortunately can't get my hands on it anymore. Maybe Ge can kick-in
> and repost
> it for you.
> 
> Jerome Covini
> 
> 
> 
> Selon Chris Riling <criling at gmail.com>:
> 
> > Hey Guys,
> >
> >      Forgive the dumb question, I'm not much of a Cisco security
> guy... I
> > have a 5510 I need to put in transparent mode and I want it to sit in
> the
> > middle of a dot1q trunk and filter traffic for the 4 VLANs traversing
> the
> > trunk between the two switches. What is the best way to do this? As
> someone
> > on the list had pointed out to me once, you should be able to create
> inside
> > and outside VLAN subinterfaces for each VLAN but I'm still a little
> > confused... Anyone else have any input? The ASA supposedly does some
> "tag
> > switching" and you need to have the same VLANs have one tag on the
> inside,
> > and another tag on the outside, but I'm not exactly sure how you
> associate
> > each inside VLAN with it's respective outside VLAN and vice versa in
> the
> > config...
> >
> > Thanks,
> > Chris
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
> >
> 
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3080 bytes
Desc: not available
Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20080408/fa28f645/attachment-0001.bin

More information about the cisco-nsp mailing list