CCIE Security: Transparent ASA

Transparent firewalls act as a bump in the wire. They work at layer-2, instead of layer-3 like a routed firewall does. So, we should be able to get NY1 and NY2 to have an EIGRP adjacency with each other, and have the NY-FW sitting in the middle, looking after the traffic. The emphasis is on should.

We’ll start with the basics. first we change the firewall mode from the default of Router to transparent:

ciscoasa(config)# firewall transparent
ciscoasa(config)# hostname NY-FW
NY-FW(config)# end
NY-FW# sh firewall
Firewall mode: Transparent

We don’t assign IP addresses to the interfaces, instead we have one “management” address, which gets configured under a BVI. The interfaces are then joined together into the bridge group:

NY-FW(config)# int e1  
NY-FW(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
NY-FW(config-if)# bridge-group 1
NY-FW(config)# int e0
NY-FW(config-if)# nameif Outside
INFO: Security level for "Outside" set to 0 by default.
NY-FW(config-if)# bridge-group 1
NY-FW(config)# interface bvi 1
NY-FW(config-if)# ip address
NY-FW(config-if)# http inside
WARNING: http server is not yet enabled to allow ASDM access.
NY-FW(config)# http server enable
NY-FW(config)# http inside

In the interest of full-disclosure, I did have issues on my home lab using ASA 8.4.2. It just did not want to play ball. so I created a very small lab (2 routers, called “Inside” and “Outside” and an ASAv running 9.5.1), and it worked fine. Here is the (cut-down) configuration:

NY-FW(config)# sh run
: Saved

: Serial Number: 9AW2F38S6JE
: Hardware:   ASAv, 2048 MB RAM, CPU Pentium II 2494 MHz
ASA Version 9.5(1)
firewall transparent
hostname NY-FW
enable password AVQgTSU8ASliPKq7 encrypted
passwd AVQgTSU8ASliPKq7 encrypted
interface GigabitEthernet0/0
 nameif Inside
 bridge-group 1
 security-level 100
interface GigabitEthernet0/1
 nameif Outside
 bridge-group 1
 security-level 0
interface BVI1
 ip address
access-list outside->in extended permit eigrp any any
access-group outside->in in interface Inside
access-group outside->in in interface Outside

Here we can see the successful EIGRP adjacency:

Inside#sh ip route eigrp | b Gate
Gateway of last resort is not set is subnetted, 1 subnets
D [90/130816] via, 00:00:13, GigabitEthernet0/0
Inside#sh ip eigrp neigh
EIGRP-IPv4 Neighbors for AS(100)
H   Address        Interface   Hold Uptime   SRTT   RTO  Q  Seq 
                                     (sec)         (ms)     Cnt Num
0      Gi0/0         10 00:13:44  150   900  0  3

I might have screwed up the formatting, but it shows that it works.

The next step is to try the same configuration above on the existing topology, or change the NY-FW in the proper topology for an ASAv, and hope that that works.

Alone, this ACL on the firewall is not enough, it gets us visibility (control plane), but not reachability (data plane). For example, we cannot ping from one router to another:

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Success rate is 0 percent (0/5)

For ping to work we need another ACE (Access list entry):

access-list outside->in permit icmp any any

Just to give us everything we need, I’ll also do IP as well:

access-list outside->in permit ip any any

Once we set up the other router for telnet:

Outside(config)#line vty 0 4
Outside(config-line)#password 802101
Outside(config-line)#transport input telnet

We have access:

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 5/8/11 ms
Trying ... Open

* banner stuff *

User Access Verification



So there we have a very brief into into Transparent firewalls, and hopefully it’ll work in the main lab later on.