Transparent firewalls act as a bump in the wire. They work at layer-2, instead of layer-3 like a routed firewall does. So, we should be able to get NY1 and NY2 to have an EIGRP adjacency with each other, and have the NY-FW sitting in the middle, looking after the traffic. The emphasis is on should.
We’ll start with the basics. first we change the firewall mode from the default of Router to transparent:
ciscoasa(config)# firewall transparent ciscoasa(config)# ciscoasa(config)# ciscoasa(config)# hostname NY-FW NY-FW(config)# end NY-FW# sh firewall Firewall mode: Transparent NY-FW#
We don’t assign IP addresses to the interfaces, instead we have one “management” address, which gets configured under a BVI. The interfaces are then joined together into the bridge group:
NY-FW(config)# int e1 NY-FW(config-if)# nameif inside INFO: Security level for "inside" set to 100 by default. NY-FW(config-if)# bridge-group 1 NY-FW(config)# int e0 NY-FW(config-if)# nameif Outside INFO: Security level for "Outside" set to 0 by default. NY-FW(config-if)# bridge-group 1 NY-FW(config-if)# NY-FW(config)# interface bvi 1 NY-FW(config-if)# ip address 220.127.116.11 255.255.255.0 NY-FW(config-if)# http 0.0.0.0 0.0.0.0 inside WARNING: http server is not yet enabled to allow ASDM access. NY-FW(config)# http server enable NY-FW(config)# http 0.0.0.0 0.0.0.0 inside NY-FW(config)#
In the interest of full-disclosure, I did have issues on my home lab using ASA 8.4.2. It just did not want to play ball. so I created a very small lab (2 routers, called “Inside” and “Outside” and an ASAv running 9.5.1), and it worked fine. Here is the (cut-down) configuration:
NY-FW(config)# sh run : Saved : : Serial Number: 9AW2F38S6JE : Hardware: ASAv, 2048 MB RAM, CPU Pentium II 2494 MHz : ASA Version 9.5(1) ! firewall transparent hostname NY-FW enable password AVQgTSU8ASliPKq7 encrypted passwd AVQgTSU8ASliPKq7 encrypted names ! interface GigabitEthernet0/0 nameif Inside bridge-group 1 security-level 100 ! interface GigabitEthernet0/1 nameif Outside bridge-group 1 security-level 0 ! interface BVI1 ip address 18.104.22.168 255.255.255.0 ! access-list outside->in extended permit eigrp any any access-group outside->in in interface Inside access-group outside->in in interface Outside
Here we can see the successful EIGRP adjacency:
Inside#sh ip route eigrp | b Gate Gateway of last resort is not set 22.214.171.124/32 is subnetted, 1 subnets D 126.96.36.199 [90/130816] via 188.8.131.52, 00:00:13, GigabitEthernet0/0 Inside# Inside#sh ip eigrp neigh EIGRP-IPv4 Neighbors for AS(100) H Address Interface Hold Uptime SRTT RTO Q Seq (sec) (ms) Cnt Num 0 184.108.40.206 Gi0/0 10 00:13:44 150 900 0 3 Inside#
I might have screwed up the formatting, but it shows that it works.
The next step is to try the same configuration above on the existing topology, or change the NY-FW in the proper topology for an ASAv, and hope that that works.
Alone, this ACL on the firewall is not enough, it gets us visibility (control plane), but not reachability (data plane). For example, we cannot ping from one router to another:
Inside#ping 220.127.116.11 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 18.104.22.168, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) Inside#
For ping to work we need another ACE (Access list entry):
access-list outside->in permit icmp any any
Just to give us everything we need, I’ll also do IP as well:
access-list outside->in permit ip any any
Once we set up the other router for telnet:
Outside(config)#line vty 0 4 Outside(config-line)# Outside(config-line)#password 802101 Outside(config-line)#login Outside(config-line)#transport input telnet
We have access:
Inside#ping 22.214.171.124 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 126.96.36.199, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 5/8/11 ms Inside#telnet 188.8.131.52 Trying 184.108.40.206 ... Open **************** * banner stuff * **************** User Access Verification Password: Outside>
So there we have a very brief into into Transparent firewalls, and hopefully it’ll work in the main lab later on.