[c-nsp] ASA Transparent Mode with VLAN Trunks
Mike Louis
MLouis at nwnit.com
Thu Apr 17 10:08:26 EDT 2008
Thanks so much. This looks exactly like what we are doing. Have you notice any issues with this configuration?
________________________________________
From: Ge Moua [moua0100 at umn.edu]
Sent: Thursday, April 17, 2008 9:16 AM
To: Mike Louis; 'Tim Franklin'; cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] ASA Transparent Mode with VLAN Trunks
Email me offline for the accompanying topology diagram. See below for a
working config of this:
Regards,
Ge Moua | Email: moua0100 at umn.edu
Network Design Engineer
University of Minnesota | Networking & Telecommunications Services
############################
## SYSTEM EXECUTION SPACE ##
############################
asa5580# sh run
: Saved
:
ASA Version 8.1(0)147 <system>
!
firewall transparent
hostname asa5580
enable password **REMOVED** encrypted
no mac-address auto
!
interface Management0/0
description ## Connect to Gi1/0/24 on Infotech-AN-01 * "outside" Mgmt Vlan
1000 for "admin" context on Cisco ASA-5580 ##
!
interface Management0/1
shutdown
!
interface GigabitEthernet3/0
description ## 802.1Q Trunk * Connect to Gi1/0/13 on Infotech-AN-01 ##
!
interface GigabitEthernet3/0.200
description ## Vlan 200 * "inside" Vlan for Firewall Context
"TEST-ASA5580-FW001" ##
vlan 200
!
interface GigabitEthernet3/1
description ## 802.1Q Trunk * Connect to Gi1/0/14 on Infotech-AN-01 ##
!
interface GigabitEthernet3/1.201
description ## Vlan 201 * "outside" Vlan for Firewall Context
"TEST-ASA5580-FW001" ##
vlan 201
!
interface GigabitEthernet3/2
description ## 802.1Q Trunk * Connect to Gi1/0/15 on Infotech-AN-01 ##
!
interface GigabitEthernet3/2.202
description ## Vlan 202 * "inside" Vlan for Firewall Context
"TEST-ASA5580-FW002" ##
vlan 202
!
interface GigabitEthernet3/3
description ## 802.1Q Trunk * Connect to Gi1/0/16 on Infotech-AN-01 ##
!
interface GigabitEthernet3/3.203
description ## Vlan 203 * "outside" Vlan for Firewall Context
"TEST-ASA5580-FW002" ##
vlan 203
!
interface GigabitEthernet4/0
shutdown
!
interface GigabitEthernet4/1
shutdown
!
interface GigabitEthernet4/2
shutdown
!
interface GigabitEthernet4/3
shutdown
!
interface TenGigabitEthernet5/0
description ## 802.1Q Trunk * Connect to TenGi2/4 on Infotech-BR-01 ##
!
interface TenGigabitEthernet5/0.3708
description ## Vlan 3708 * "inside" Vlan for Firewall Context "CSERV-FW001"
##
vlan 3708
!
interface TenGigabitEthernet5/0.3709
description ## Vlan 3709 * "outside" Vlan for Firewall Context
"CSERV-FW001" ##
vlan 3709
!
interface TenGigabitEthernet5/1
shutdown
!
class default
limit-resource All 0
limit-resource Mac-addresses 65535
limit-resource ASDM 5
limit-resource SSH 5
limit-resource Telnet 5
!
boot system disk0:/smp810-147-k8.bin
ftp mode passive
pager lines 24
no failover
asdm image disk0:/asdm-61028.bin
no asdm history enable
arp timeout 14400
console timeout 0
admin-context admin
context admin
allocate-interface Management0/0
config-url disk0:/admin.cfg
!
context TEST-ASA5580-FW001
allocate-interface GigabitEthernet3/0.200
allocate-interface GigabitEthernet3/1.201
config-url disk0:/TEST-ASA5580-FW001.cfg
!
context TEST-ASA5580-FW002
allocate-interface GigabitEthernet3/2.202
allocate-interface GigabitEthernet3/3.203
config-url disk0:/TEST-ASA5580-FW002.cfg
!
context CSERV-FW001
allocate-interface TenGigabitEthernet5/0.3708-TenGigabitEthernet5/0.3709
config-url disk0:/CSERV-FW001.cfg
!
prompt hostname context
Cryptochecksum:6dc963ea184ab1e2eceeeddcdda3211f
: end
##############################
## VIRTUAL FIREWALL CONTEXT ##
##############################
asa5580/CSERV-FW001# sh run
: Saved
:
ASA Version 8.1(0)147 <context>
!
firewall transparent
hostname CSERV-FW001
domain-name ggnet.umn.edu
enable password **REMOVED** encrypted
names
!
interface TenGigabitEthernet5/0.3708
nameif inside
security-level 100
!
interface TenGigabitEthernet5/0.3709
nameif outside
security-level 0
!
passwd **REMOVED** encrypted
dns server-group DefaultDNS
domain-name ggnet.umn.edu
access-list PERMIT-ALL remark ## [START] PERMIT-ALL ##
access-list PERMIT-ALL remark ## Reserve for Debugging or Emergency Use ##
access-list PERMIT-ALL extended permit ip any any
access-list PERMIT-ALL remark ## [END] PERMIT-ALL ##
pager lines 24
logging enable
logging timestamp
logging monitor debugging
logging buffered debugging
logging trap debugging
logging facility 23
logging host outside 192.168.249.59
mtu inside 1500
mtu outside 1500
ip address 128.101.58.134 255.255.255.240
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
access-group PERMIT-ALL in interface inside
access-group PERMIT-ALL in interface outside
route outside 0.0.0.0 0.0.0.0 128.101.58.132 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (outside) host 192.168.249.21
key **REMOVED**
aaa-server TACACS+ (outside) host 192.168.249.22
key **REMOVED**
aaa authentication ssh console TACACS+
aaa authentication telnet console TACACS+
aaa authentication enable console TACACS+
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 160.94.221.0 255.255.255.248 inside
telnet 192.168.224.0 255.255.224.0 outside
telnet 134.84.20.0 255.255.255.0 outside
telnet timeout 5
ssh 192.168.224.0 255.255.224.0 outside
ssh 134.84.20.0 255.255.255.0 outside
ssh timeout 5
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect netbios
inspect rsh
inspect rtsp
inspect skinny
inspect esmtp
inspect sqlnet
inspect sunrpc
inspect tftp
inspect sip
inspect xdmcp
inspect icmp
!
service-policy global_policy global
Cryptochecksum:8ec6a416d4238fbe77fa8493dc2a3ea4
: end
-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mike Louis
Sent: Thursday, April 17, 2008 7:59 AM
To: Tim Franklin; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] ASA Transparent Mode with VLAN Trunks
We are making some progress on this however not completed yet. We had to
assign multiple contexts to the firewall as expected, then assign a set of
vlans on the outside interfaces (50,51) and then another set of vlans on the
inside interfaces (100,101). The ASA would not let me assign the same vlan
to the inside and outside interfaces. It appears VLAN tags are stripped in
bound to the outside interface of the ASA and then reapplied (with a
different tag) on the inside interface. Switches on each side are trunked
accordingly. I have one side of the topology, ie one asa with multiple
context working, still working on the second device.
If anyone has a working configuration for this setup, can you please post
to this forum?
TIA
Mike
________________________________________
From: cisco-nsp-bounces at puck.nether.net [cisco-nsp-bounces at puck.nether.net]
On Behalf Of Tim Franklin [tim at pelican.org]
Sent: Thursday, April 17, 2008 4:28 AM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] ASA Transparent Mode with VLAN Trunks
On Wed, April 16, 2008 5:37 pm, Ge Moua wrote:
> I tried emailing attachments to the 'list' before, and this was rejected.
> I'm always open to sharing by any means necessary.
Err... paste the text of the config?
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Note: This message and any attachments is intended solely for the use of the
individual or entity to which it is addressed and may contain information
that is non-public, proprietary, legally privileged, confidential, and/or
exempt from disclosure. If you are not the intended recipient, you are
hereby notified that any use, dissemination, distribution, or copying of
this communication is strictly prohibited. If you have received this
communication in error, please notify the original sender immediately by
telephone or return email and destroy or delete this message along with any
attachments immediately.
_______________________________________________
cisco-nsp mailing list cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/
Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately.
More information about the cisco-nsp
mailing list