Options

Transparent ASA

NeekoNeeko Member Posts: 170
in CCNP Security
When you run an ASA in layer 2 transparent mode and define port pairs to bridge, how do you go about having 2 links to collapsed core switches? Likewise how do you incorporate a DMZ?

For the DMZ I'm thinking you would need two links from the WAN router, one for the bridge to the LAN and one to the DMZ. But the LAN has two links for redundancy so how does this work?

I don't have access to any such device and the smaller firewalls I've worked on in the past were never in the context of hierarchical designs with redundancy so I'm a bit lost. If it is better to run the firewall in routed mode is it possible to allow core switches and WAN routers to exchange routing information even with firewalls between them?
· Share on FacebookShare on Twitter

Comments

  • Options
    AhriakinAhriakin Member Posts: 1,799 ■■■■■■■■□□
    The single most important thing to remember when dealing with transparent is do not try to incorporate it into your Layer3+ design...obvious but it tends to confused people. Any network segmentation needs to be performed on other L3 devices, the ASA is just a bump in the wire within a vlan, so whatever link you would normally have to the switch (trunk) or L3 device behind which the DMZ exists you just put the L2 firewall inline. So if you are going direct from your WAN router to your trusted LAN segments and the DMZ then yes you need be inline physically with both connectiions.
    We responded to the Year 2000 issue with "Y2K" solutions...isn't this the kind of thinking that got us into trouble in the first place?
    · Share on FacebookShare on Twitter
Sign In or Register to comment.