[c-nsp] Transparent ASA 5510 on a dot1q Trunk

Chris Riling criling at gmail.com
Thu Apr 10 10:38:02 EDT 2008 

Thanks for the help! yeah, Ge did send me his configs and helped me out
quite a bit, I'm going to have to lab it up here though and see; sometimes
that's the best way to go!

Thanks,
Chris


On 4/8/08, Fred Reimer <freimer at ctiusa.com> wrote:
>
> On a FWSM you don't need separate contexts and can setup up to eight
> bridge
> groups.
>
> "If you do not want the overhead of security contexts, or want to maximize
> your use of security contexts, you can configure up to eight pairs of
> interfaces, called bridge groups. Each bridge group connects to a separate
> network. Bridge group traffic is isolated from other bridge groups;
> traffic
> is not routed to another bridge group within the FWSM, and traffic must
> exit
> the FWSM before it is routed by an external router back to another bridge
> group in the FWSM. Although the bridging functions are separate for each
> bridge group, many other functions are shared between all bridge groups.
> For
> example, all bridge groups share a system log server or AAA server
> configuration. For complete security policy separation, use security
> contexts with one bridge group in each context."
>
> Finally one thing a FWSM does better than an ASA! (feature wise)
>
> Fred Reimer, CISSP, CCNP, CQS-VPN, CQS-ISS
> Senior Network Engineer
> Coleman Technologies, Inc.
> 954-298-1697
>
>
> > -----Original Message-----
> > From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> > bounces at puck.nether.net] On Behalf Of jcovini at free.fr
> > Sent: Tuesday, April 08, 2008 5:11 AM
> > To: Chris Riling
> > Cc: cisco-nsp at puck.nether.net
> > Subject: Re: [c-nsp] Transparent ASA 5510 on a dot1q Trunk
> >
> > Hi Chris,
> >
> > This is feasible if you use multiple contexts in transparent mode as
> > described
> > here :
> > http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/
> > examples.html#wp1010043
> >
> > Basically you define all necessary vlan subifs into the global context,
> > then you
> > use them as inside/outside pairs into each context. A guy called Ge
> > Moua here at
> > c-nsp sent me a working configuration for this a couple of months ago,
> > unfortunately can't get my hands on it anymore. Maybe Ge can kick-in
> > and repost
> > it for you.
> >
> > Jerome Covini
> >
> >
> >
> > Selon Chris Riling <criling at gmail.com>:
> >
> > > Hey Guys,
> > >
> > >      Forgive the dumb question, I'm not much of a Cisco security
> > guy... I
> > > have a 5510 I need to put in transparent mode and I want it to sit in
> > the
> > > middle of a dot1q trunk and filter traffic for the 4 VLANs traversing
> > the
> > > trunk between the two switches. What is the best way to do this? As
> > someone
> > > on the list had pointed out to me once, you should be able to create
> > inside
> > > and outside VLAN subinterfaces for each VLAN but I'm still a little
> > > confused... Anyone else have any input? The ASA supposedly does some
> > "tag
> > > switching" and you need to have the same VLANs have one tag on the
> > inside,
> > > and another tag on the outside, but I'm not exactly sure how you
> > associate
> > > each inside VLAN with it's respective outside VLAN and vice versa in
> > the
> > > config...
> > >
> > > Thanks,
> > > Chris
> > > _______________________________________________
> > > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > > archive at http://puck.nether.net/pipermail/cisco-nsp/
> > >
> >
> >
> > _______________________________________________
> > cisco-nsp mailing list  cisco-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/cisco-nsp
> > archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>

More information about the cisco-nsp mailing list