From: anthony.sequeira@thomson.com
Date: Wed Apr 11 2007 - 22:40:27 ART
Hi Nem!
I hope I have not sent you down a "rat hole" here - I was quoting the
Cisco Systems SNPA course for transparent firewall guidelines. Here is
the expanded text (I have not verified this in the lab or production):
"Each interface must be a different VLAN interface...Keep in mind that
as a layer 2 device the security appliance interfaces must be on
different VLANs to differentiate the traffic flow."
They even show a diagram:
R1 - VLAN 100 - 10.0.1.0 ---ASA/PIX---10.0.1.0-VLAN 200 ----Hosts
________________________________
From: nem chua [mailto:nemthuduc@gmail.com]
Sent: Wednesday, April 11, 2007 9:08 PM
To: Sequeira, Anthony (NETg)
Cc: Cisco certification
Subject: Re: OSPF over ASA transparent mode
Hi, thank you everyone for responding to my email.
Anthony, now this is interesting, each interface must be in a seperate
vlan? So according to the drawing, I'm assuming each interface on the
external and internal 3750 has to be a seperate vlan???
In ASA transparent mode, I thought the entire network should be one vlan
and one subnet because the firewall is like a bridge between the 3750
outside and inside, why would I want to use seperate vlan on each 3750
link?
Everything else I tried. The mtu are at the default 1500 bytes. I
created access list and applied it to the external interface to allow ip
any to any, still no go. From the debugs it looks like the inside
switches sees the hellos coming from the outside, and have those
neighbors in INIT state. However the external switch does not see any
hello coming from the internal switch.
Thanks much.
3750 external switch -----------vlan10----------------3750 external
switch
|
|
vlan 10 vlan
10
|
|
ASA firewall--------------Failover--------------- ASA Firewall
|
|
vlan 10 vlan
10
|
|
3750 internal switch--------------vlan 10----------------3750 internal
switch
On 4/11/07, anthony.sequeira@thomson.com <anthony.sequeira@thomson.com >
wrote:
Errr - I just realized I might have answered too quickly here and not
read your original post closely enough....
It sounds like you want OSPF traffic to pass THROUGH the Transparent
Firewall. This should be permitted as long as your Extended ACL provides
the appropriate permissions.
So I would check your ACL carefully - and then check your guidelines on
Transparent Firewalling:
* Each directly connected network must be on the same subnet
* A management IP address is required and must be on the same subnet
* Each interface must be a different VLAN interface
Anthony J. Sequeira
#15626
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Sequeira, Anthony (NETg)
Sent: Wednesday, April 11, 2007 5:35 PM
To: nemthuduc@gmail.com; ccielab@groupstudy.com
Subject: RE: OSPF over ASA transparent mode
The following features are not supported in Transparent Mode:
* DYNAMIC ROUTING PROTOCOLS
* NAT
* IPv6
* DHCP Relay
* QoS
* Multicast
* VPN Termination for Through Traffic
Anthony J Sequeira
#15626
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
nem chua
Sent: Wednesday, April 11, 2007 4:55 PM
To: Cisco certification
Subject: OSPF over ASA transparent mode
Hello,
Anyone ran this before? When I had the asa firewall run ospf it works
fine. I tried running asa firewall in transparent mode, access-list
wide
open for ip any any, and ospf any any. All traffic pass fine, but ospf
will
not form an adjacency and stuck in INIT state. If I plug the router on
each
end directly, bypassing the firewall it works fine. Any idea?
This archive was generated by hypermail 2.1.4 : Tue May 01 2007 - 08:28:35 ART