CCIE Security: Transparent ASA

Transparent firewalls act as a bump in the wire. They work at layer-2, instead of layer-3 like a routed firewall does. So, we should be able to get NY1 and NY2 to have an EIGRP adjacency with each other, and have the NY-FW sitting in the middle, looking after the traffic. The emphasis is on should.

We’ll start with the basics. first we change the firewall mode from the default of Router to transparent:

ciscoasa(config)# firewall transparent
ciscoasa(config)# 
ciscoasa(config)# 
ciscoasa(config)# hostname NY-FW
NY-FW(config)# end
NY-FW# sh firewall
Firewall mode: Transparent
NY-FW#

We don’t assign IP addresses to the interfaces, instead we have one “management” address, which gets configured under a BVI. The interfaces are then joined together into the bridge group:

NY-FW(config)# int e1  
NY-FW(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
NY-FW(config-if)# bridge-group 1
NY-FW(config)# int e0
NY-FW(config-if)# nameif Outside
INFO: Security level for "Outside" set to 0 by default.
NY-FW(config-if)# bridge-group 1
NY-FW(config-if)#
NY-FW(config)# interface bvi 1
NY-FW(config-if)# ip address 128.2.2.100 255.255.255.0
NY-FW(config-if)# http 0.0.0.0 0.0.0.0 inside
WARNING: http server is not yet enabled to allow ASDM access.
NY-FW(config)# http server enable
NY-FW(config)# http 0.0.0.0 0.0.0.0 inside
NY-FW(config)#

In the interest of full-disclosure, I did have issues on my home lab using ASA 8.4.2. It just did not want to play ball. so I created a very small lab (2 routers, called “Inside” and “Outside” and an ASAv running 9.5.1), and it worked fine. Here is the (cut-down) configuration:

NY-FW(config)# sh run
: Saved

:
: Serial Number: 9AW2F38S6JE
: Hardware:   ASAv, 2048 MB RAM, CPU Pentium II 2494 MHz
:
ASA Version 9.5(1)
!
firewall transparent
hostname NY-FW
enable password AVQgTSU8ASliPKq7 encrypted
passwd AVQgTSU8ASliPKq7 encrypted
names
!
interface GigabitEthernet0/0
 nameif Inside
 bridge-group 1
 security-level 100
!
interface GigabitEthernet0/1
 nameif Outside
 bridge-group 1
 security-level 0
!
interface BVI1
 ip address 128.2.2.100 255.255.255.0
!
access-list outside->in extended permit eigrp any any
access-group outside->in in interface Inside
access-group outside->in in interface Outside

Here we can see the successful EIGRP adjacency:

Inside#sh ip route eigrp | b Gate
Gateway of last resort is not set

      2.0.0.0/32 is subnetted, 1 subnets
D        2.2.2.2 [90/130816] via 128.2.2.2, 00:00:13, GigabitEthernet0/0
Inside#
Inside#sh ip eigrp neigh
EIGRP-IPv4 Neighbors for AS(100)
H   Address        Interface   Hold Uptime   SRTT   RTO  Q  Seq 
                                     (sec)         (ms)     Cnt Num
0   128.2.2.2      Gi0/0         10 00:13:44  150   900  0  3
Inside#

I might have screwed up the formatting, but it shows that it works.

The next step is to try the same configuration above on the existing topology, or change the NY-FW in the proper topology for an ASAv, and hope that that works.

Alone, this ACL on the firewall is not enough, it gets us visibility (control plane), but not reachability (data plane). For example, we cannot ping from one router to another:

Inside#ping 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
.....
Success rate is 0 percent (0/5)
Inside#

For ping to work we need another ACE (Access list entry):

access-list outside->in permit icmp any any

Just to give us everything we need, I’ll also do IP as well:

access-list outside->in permit ip any any

Once we set up the other router for telnet:

Outside(config)#line vty 0 4
Outside(config-line)#
Outside(config-line)#password 802101
Outside(config-line)#login
Outside(config-line)#transport input telnet

We have access:

Inside#ping 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 2.2.2.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/8/11 ms
Inside#telnet 2.2.2.2
Trying 2.2.2.2 ... Open


****************
* banner stuff *
****************

User Access Verification

Password:

Outside>

So there we have a very brief into into Transparent firewalls, and hopefully it’ll work in the main lab later on.