[c-nsp] ASA Transparent Mode with VLAN Trunks

Mike Louis MLouis at nwnit.com
Thu Apr 17 10:08:26 EDT 2008


Thanks so much. This looks exactly like what we are doing. Have you notice any issues with this configuration?

________________________________________
From: Ge Moua [moua0100 at umn.edu]
Sent: Thursday, April 17, 2008 9:16 AM
To: Mike Louis; 'Tim Franklin'; cisco-nsp at puck.nether.net
Subject: RE: [c-nsp] ASA Transparent Mode with VLAN Trunks

Email me offline for the accompanying topology diagram.  See below for a
working config of this:


Regards,
Ge Moua | Email: moua0100 at umn.edu

Network Design Engineer
University of Minnesota | Networking & Telecommunications Services


############################
## SYSTEM EXECUTION SPACE ##
############################
asa5580# sh run
: Saved
:
ASA Version 8.1(0)147 <system>
!
firewall transparent
hostname asa5580
enable password **REMOVED** encrypted
no mac-address auto
!
interface Management0/0
 description ## Connect to Gi1/0/24 on Infotech-AN-01 * "outside" Mgmt Vlan
1000 for "admin" context on Cisco ASA-5580 ##
!
interface Management0/1
 shutdown
!
interface GigabitEthernet3/0
 description ## 802.1Q Trunk * Connect to Gi1/0/13 on Infotech-AN-01 ##
!
interface GigabitEthernet3/0.200
 description ## Vlan 200 * "inside" Vlan for Firewall Context
"TEST-ASA5580-FW001" ##
 vlan 200
!
interface GigabitEthernet3/1
 description ## 802.1Q Trunk * Connect to Gi1/0/14 on Infotech-AN-01 ##
!
interface GigabitEthernet3/1.201
 description ## Vlan 201 * "outside" Vlan for Firewall Context
"TEST-ASA5580-FW001" ##
 vlan 201
!
interface GigabitEthernet3/2
 description ## 802.1Q Trunk * Connect to Gi1/0/15 on Infotech-AN-01 ##
!
interface GigabitEthernet3/2.202
 description ## Vlan 202 * "inside" Vlan for Firewall Context
"TEST-ASA5580-FW002" ##
 vlan 202
!
interface GigabitEthernet3/3
 description ## 802.1Q Trunk * Connect to Gi1/0/16 on Infotech-AN-01 ##
!
interface GigabitEthernet3/3.203
 description ## Vlan 203 * "outside" Vlan for Firewall Context
"TEST-ASA5580-FW002" ##
 vlan 203
!
interface GigabitEthernet4/0
 shutdown
!
interface GigabitEthernet4/1
 shutdown
!
interface GigabitEthernet4/2
 shutdown
!
interface GigabitEthernet4/3
 shutdown
!
interface TenGigabitEthernet5/0
 description ## 802.1Q Trunk * Connect to TenGi2/4 on Infotech-BR-01 ##
!
interface TenGigabitEthernet5/0.3708
 description ## Vlan 3708 * "inside" Vlan for Firewall Context "CSERV-FW001"
##
 vlan 3708
!
interface TenGigabitEthernet5/0.3709
 description ## Vlan 3709 * "outside" Vlan for Firewall Context
"CSERV-FW001" ##
 vlan 3709
!
interface TenGigabitEthernet5/1
 shutdown
!
class default
  limit-resource All 0
  limit-resource Mac-addresses 65535
  limit-resource ASDM 5
  limit-resource SSH 5
  limit-resource Telnet 5
!

boot system disk0:/smp810-147-k8.bin
ftp mode passive
pager lines 24
no failover
asdm image disk0:/asdm-61028.bin
no asdm history enable
arp timeout 14400
console timeout 0

admin-context admin
context admin
  allocate-interface Management0/0
  config-url disk0:/admin.cfg
!

context TEST-ASA5580-FW001
  allocate-interface GigabitEthernet3/0.200
  allocate-interface GigabitEthernet3/1.201
  config-url disk0:/TEST-ASA5580-FW001.cfg
!

context TEST-ASA5580-FW002
  allocate-interface GigabitEthernet3/2.202
  allocate-interface GigabitEthernet3/3.203
  config-url disk0:/TEST-ASA5580-FW002.cfg
!

context CSERV-FW001
  allocate-interface TenGigabitEthernet5/0.3708-TenGigabitEthernet5/0.3709
  config-url disk0:/CSERV-FW001.cfg
!

prompt hostname context
Cryptochecksum:6dc963ea184ab1e2eceeeddcdda3211f
: end

##############################
## VIRTUAL FIREWALL CONTEXT ##
##############################

asa5580/CSERV-FW001# sh run
: Saved
:
ASA Version 8.1(0)147 <context>
!
firewall transparent
hostname CSERV-FW001
domain-name ggnet.umn.edu
enable password **REMOVED** encrypted
names
!
interface TenGigabitEthernet5/0.3708
 nameif inside
 security-level 100
!
interface TenGigabitEthernet5/0.3709
 nameif outside
 security-level 0
!
passwd **REMOVED** encrypted
dns server-group DefaultDNS
 domain-name ggnet.umn.edu
access-list PERMIT-ALL remark ## [START] PERMIT-ALL ##
access-list PERMIT-ALL remark ## Reserve for Debugging or Emergency Use ##
access-list PERMIT-ALL extended permit ip any any
access-list PERMIT-ALL remark ## [END] PERMIT-ALL ##
pager lines 24
logging enable
logging timestamp
logging monitor debugging
logging buffered debugging
logging trap debugging
logging facility 23
logging host outside 192.168.249.59
mtu inside 1500
mtu outside 1500
ip address 128.101.58.134 255.255.255.240
icmp unreachable rate-limit 1 burst-size 1
icmp permit any inside
icmp permit any outside
no asdm history enable
arp timeout 14400
access-group PERMIT-ALL in interface inside
access-group PERMIT-ALL in interface outside
route outside 0.0.0.0 0.0.0.0 128.101.58.132 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat
0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect
0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (outside) host 192.168.249.21
 key **REMOVED**
aaa-server TACACS+ (outside) host 192.168.249.22
 key **REMOVED**
aaa authentication ssh console TACACS+
aaa authentication telnet console TACACS+
aaa authentication enable console TACACS+
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet 160.94.221.0 255.255.255.248 inside
telnet 192.168.224.0 255.255.224.0 outside
telnet 134.84.20.0 255.255.255.0 outside
telnet timeout 5
ssh 192.168.224.0 255.255.224.0 outside
ssh 134.84.20.0 255.255.255.0 outside
ssh timeout 5
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map
  inspect ftp
  inspect h323 h225
  inspect h323 ras
  inspect netbios
  inspect rsh
  inspect rtsp
  inspect skinny
  inspect esmtp
  inspect sqlnet
  inspect sunrpc
  inspect tftp
  inspect sip
  inspect xdmcp
  inspect icmp
!
service-policy global_policy global
Cryptochecksum:8ec6a416d4238fbe77fa8493dc2a3ea4
: end


-----Original Message-----
From: cisco-nsp-bounces at puck.nether.net
[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Mike Louis
Sent: Thursday, April 17, 2008 7:59 AM
To: Tim Franklin; cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] ASA Transparent Mode with VLAN Trunks

We are making some progress on this however not completed yet. We had to
assign multiple contexts to the firewall as expected, then assign a set of
vlans on the outside interfaces (50,51) and then another set of vlans on the
inside interfaces (100,101). The ASA would not let me assign the same vlan
to the inside and outside interfaces. It appears VLAN tags are stripped in
bound to the outside interface of the ASA and then reapplied (with a
different tag) on the inside interface. Switches on each side are trunked
accordingly. I have one side of the topology, ie one asa with multiple
context working, still working on the second device.

 If anyone has a working configuration for this setup, can you please post
to this forum?


TIA

Mike
________________________________________
From: cisco-nsp-bounces at puck.nether.net [cisco-nsp-bounces at puck.nether.net]
On Behalf Of Tim Franklin [tim at pelican.org]
Sent: Thursday, April 17, 2008 4:28 AM
To: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] ASA Transparent Mode with VLAN Trunks

On Wed, April 16, 2008 5:37 pm, Ge Moua wrote:
> I tried emailing attachments to the 'list' before, and this was rejected.
> I'm always open to sharing by any means necessary.

Err... paste the text of the config?



_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Note: This message and any attachments is intended solely for the use of the
individual or entity to which it is addressed and may contain information
that is non-public, proprietary, legally privileged, confidential, and/or
exempt from disclosure.  If you are not the intended recipient, you are
hereby notified that any use, dissemination, distribution, or copying of
this communication is strictly prohibited.  If you have received this
communication in error, please notify the original sender immediately by
telephone or return email and destroy or delete this message along with any
attachments immediately.

_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/

Note: This message and any attachments is intended solely for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, legally privileged, confidential, and/or exempt from disclosure.  If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited.  If you have received this communication in error, please notify the original sender immediately by telephone or return email and destroy or delete this message along with any attachments immediately.



More information about the cisco-nsp mailing list