"The What?" - In this blog I want to explore 1 of the 2 ASA modes, Transparent mode. In this mode the ASA is no longer in routed mode acting as a L3 routed hop. The ASA actually operates as a L2 bump on the wire.
"The Why?" - A major benefit is that you can actually insert a transparent ASA into a network without having to modify IPs on other devices. This can be clutch if wanting to segregate and essentially split a vlan up. Some other benefits include simplicity of configuration due to the fact of requiring much less changes as compared to a routed ASA, the device is undetectable, & the ability to permit or deny non-IP traffic.
"The How?" - The layer 2 connectivity is accomplished via a bridge group. Real quick note, bridge groups allow us to group interfaces. We see this often with transparent ASAs. Bridge groups include a Bridge Virtual Interface or BVI, which has an interface IP address that is used as the source for packets originating from the group. The BVI IP address must be on the same subnet as the group interfaces. To start, here is the simple topology used:
Pay attention to how our Windows client (Win1) is on the same subnet (vlan12) as CSR2. For the purposes of this post to understand transparent ASAs we will focus on CSR2, ASA1, & Win1.
Really the only necessary config part we need to worry about from CSR2 is the interface that acts as the L3 gateway for our Win1 client:
Win1 network adapter configuration:
Now let's dive into how the transparent firewall gets configured to act as a L2 bump on the wire. First here is a helpful command that will aide in determining what mode the firewall is running in #show firewall
Note if you need to change the mode go into global config and change the mode: #firewall <mode>
I started with creating the bridge virtual interface so I can establish the bridge group.
Note that the IP address used falls in the same subnet as the Windows client & CSR2. Next I added the respective interfaces to the new bridge group:
Note the vlan tagging in vmware is necessary for the ASA <-->CSR2 connection, but not to the Windows client. Hence interface G0/0.12 connects to CSR2 & interface G0/1 connects to the windows client.
To verify the bridge group configuration:
To understand traffic flow the same rule applies to transparent ASAs. Traffic originating from a higher level security interface is by default allowed to a lower level security interface. However, the opposite way (lower level to higher security level) we need to deploy ACLs permitting traffic the other way. I declared the outside interface as the one connecting to the CSR2 gateway, and the inside interface (security level 100) connecting to the windows client. By default without making modifications traffic is allowed when initiated from the Windows client to the CSR2 device:
Without deploying ACLs to permit traffic from CSR2 --> Windows host the client is unreachable:
In order to allow ping traffic I created the following access-list and assigned it to the outside interface:
To verify the ACL is working as expected:
Viewing hit counter on transparent ASA:
There you have it, I have successfully deployed a Cisco ASA in transparent mode & allowed traffic to flow both directions through the L2 bump. Stay tuned for more to come, Cheers!