Transparent firewalls act as a bump in the wire. They work at layer-2, instead of layer-3 like a routed firewall does. So, we should be able to get NY1 and NY2 to have an EIGRP adjacency with each other, and have the NY-FW sitting in the middle, looking after the traffic. The emphasis is on should.
We’ll start with the basics. first we change the firewall mode from the default of Router to transparent:
ciscoasa(config)# firewall transparent ciscoasa(config)# ciscoasa(config)# ciscoasa(config)# hostname NY-FW NY-FW(config)# end NY-FW# sh firewall Firewall mode: Transparent NY-FW#
We don’t assign IP addresses to the interfaces, instead we have one “management” address, which gets configured under a BVI. The interfaces are then joined together into the bridge group:
NY-FW(config)# int e1 NY-FW(config-if)# nameif inside INFO: Security level for "inside" set to 100 by default. NY-FW(config-if)# bridge-group 1 NY-FW(config)# int e0 NY-FW(config-if)# nameif Outside INFO: Security level for "Outside" set to 0 by default. NY-FW(config-if)# bridge-group 1 NY-FW(config-if)# NY-FW(config)# interface bvi 1 NY-FW(config-if)# ip address 126.96.36.199 255.255.255.0 NY-FW(config-if)# http 0.0.0.0 0.0.0.0 inside WARNING: http server is not yet enabled to allow ASDM access. NY-FW(config)# http server enable NY-FW(config)# http 0.0.0.0 0.0.0.0 inside NY-FW(config)#
In the interest of full-disclosure, I did have issues on my home lab using ASA 8.4.2. It just did not want to play ball. so I created a very small lab (2 routers, called “Inside” and “Outside” and an ASAv running 9.5.1), and it worked fine. Here is the (cut-down) configuration:
NY-FW(config)# sh run : Saved : : Serial Number: 9AW2F38S6JE : Hardware: ASAv, 2048 MB RAM, CPU Pentium II 2494 MHz : ASA Version 9.5(1) ! firewall transparent hostname NY-FW enable password AVQgTSU8ASliPKq7 encrypted passwd AVQgTSU8ASliPKq7 encrypted names ! interface GigabitEthernet0/0 nameif Inside bridge-group 1 security-level 100 ! interface GigabitEthernet0/1 nameif Outside bridge-group 1 security-level 0 ! interface BVI1 ip address 188.8.131.52 255.255.255.0 ! access-list outside->in extended permit eigrp any any access-group outside->in in interface Inside access-group outside->in in interface Outside
Here we can see the successful EIGRP adjacency:
Inside#sh ip route eigrp | b Gate Gateway of last resort is not set 184.108.40.206/32 is subnetted, 1 subnets D 220.127.116.11 [90/130816] via 18.104.22.168, 00:00:13, GigabitEthernet0/0 Inside# Inside#sh ip eigrp neigh EIGRP-IPv4 Neighbors for AS(100) H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num 0 22.214.171.124 Gi0/0 10 00:13:44 150 900 0 3 Inside#
I might have screwed up the formatting, but it shows that it works.
The next step is to try the same configuration above on the existing topology, or change the NY-FW in the proper topology for an ASAv, and hope that that works.
Alone, this ACL on the firewall is not enough, it gets us visibility (control plane), but not reachability (data plane). For example, we cannot ping from one router to another:
Inside#ping 126.96.36.199 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 188.8.131.52, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) Inside#
For ping to work we need another ACE (Access list entry):
access-list outside->in permit icmp any any
Just to give us everything we need, I’ll also do IP as well:
access-list outside->in permit ip any any
Once we set up the other router for telnet:
Outside(config)#line vty 0 4 Outside(config-line)# Outside(config-line)#password 802101 Outside(config-line)#login Outside(config-line)#transport input telnet
We have access:
Inside#ping 184.108.40.206 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 220.127.116.11, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 5/8/11 ms Inside#telnet 18.104.22.168 Trying 22.214.171.124 ... Open **************** * banner stuff * **************** User Access Verification Password: Outside>
So there we have a very brief into into Transparent firewalls, and hopefully it’ll work in the main lab later on.