we're going to take a look at deploying transparent mode on the cisco asa. This article is part of my ccie security series, Based on the studies that I am doing for the implementing and operating cisco, Secure core technologies version, One exam 350 -701, And we are covering 22 of the blueprint today. So, As I always do, I start off with some main points on what we are going to look at today, So for the asa, Transparent mod, We will just cover these main points that I've got down here. So the first one is that the asa acts as a bump in the wire. So essentially it is a layer, 2 device, It's not a layer, Free device, The interfaces use bridge group interfaces or bvI's, So the universes that are going to be used within a transparent mode, Asa t're assigned to bvis bridgeview bridge group interfaces cannot communicate with one another.
So if you have bridge group 1 and bridge group, Two t need and and t need to communicate with one another - you do need to send that traffic up to, Let's say a layer free router for it to route back down into the separate bridge group. So you can't route between bridge groups on the on the asa, And you still have the option to configure the management interface. So if you want to have a separate management connection to the asa, That is possible, Bridge groups should have ip addresses assigned to them forward. Packets are based on the destination mac address so when packets are forwarded, T're based purely on the destination mac address, The asa in transparent mode will use app or icmp to resolve mac addresses of the next stop device, And it will not flood all interfaces if it Does not know about the next hot mac address traffic from a higher security level to a lower security level is permitted by default.
So this is the same behavior as a normal asa rooted asa app can pass through the firewall without an acl. However, Cdp cannot so you will have to explicitly allow that if that is what you want to do, When you change firewall modes, It will wipe all the configuration. So the default firewall mod for the asa is the rooted mode to change to a transparent mode.
Firewall, You will lose all your configurations if you do have configuration on a rooted firewall, So it's best to make sure that you do back those up before changing to a transparent, Mod 250 bridge groups are supported with four interfaces in a bridge group. So that's quite a lot with transparent mode. There is some unsupported features, So there's no support for dynamic routing, So you cannot configure, Let's say, For instance, Ospf on the transparent asa. However, You can permit rooting protocols through the transparent firewall, But this needs to be explicitly done. So if you don't allow those multicast packets, Then t will be denied.
If you do need to establish a adjacency with a device through the transparent firewall. The transparent firewall will not support dhcp relay, But it can act as a dhcp server, But only for ipv4. There is no support for ddns, No qs support and no vpn support in transparent mod. It only supports side to side vpn for the management.
There is also known that support it's pretty straightforward configuring, The transparent mod on the asa and I've. Just put a note there that configurations may vary depending on the asa version that is being used, So it's always best to check the documentation, The cisco documentation before you go ahead and start to configure transparent, Mods the following demonstration. Today we will be using asa cord 912, So the configuration or the steps below are what will be used to configure transparent mode. So it's pretty straightforward, As I say, So we start by changing the s8 to transparent mode and, As I say, Make sure you do back up your configurations.
If there is any on a asa that is in rooted mode, Then we configure the physical interfaces. So we configure the name, The security level and the bridge group that is going to be assigned to the bridge group part. I normally come back to because I configure step three first, So I will configure the bridge groups first and then assign the interfaces.
The physical interfaces to the bridge group in regards to the actual configuration of the bridge groups pretty straightforward to configure and you assign the ip address to the actual bridge group itself and not the physical interfaces. Depending on your environment, You may want to configure acls to allow certain flaws to pass through the transparent, Firewall I'll put that as optional, Because we will not be demonstrating that part in this demonstration today and then last of all verify the configuration. So it's always best to verify your configuration before saving the change, So our demonstration today is pretty straightforward. The purpose of this is to demonstrate the configuration on the asa for the transparent firewall, So we will be configuring, One asafv in transparent mod and we have a switch either side so left and right, And then we have two vpcs on either side as well. So the all aim today is to configure transparent mode and to verify connectivity between two vpcs, So we'll just get into the lab environment now, And the switches have already been configured.
This topology we're using vlan 10 throughout the environment and we're going to use one bridge group which is going to be bvI one once we've configured it, The vpcs should also be configured. We can take a look at those configurations as well. The essay is a fresh install, So we'll just start by configuring.
The hostname just call this asa lab use this firewall to transparent. So, As I said, By default, It is in rooted mode, So we can verify about that by doing sure firewall. So we can see that the firewall mod is router, So we just do firewall and if your question mark, We can see there, We can switch it to transparent, So that is done, Show firewall.
So now we can see it's in transparent mod. So now, What we'll do is we'll configure the interfaces so we'll start off by configuring gig01, So in the first gig zero one and we'll do name if we'll give this one outside security level is set by default to zero. We'll leave that as it is we'll just issue a no shot and we will not apply the bridge group interface yet because we've not configured that so we'll just go across to in the first gig zero one. And this time we'll call this one inside and by default we get the security level of 100 unless you're not shut down for that, And then we'll go to interface bvI one.
And if we do a question mark, We can see the options we have. So we can give a description, Ip address and that's pretty much it. So what we'll do is we'll specify an ip address of one nine, Two one, Six, Eight ten dot two will use slash 24 and we'll just issue another shutdown which we don't actually need.
So once that's done, We can now assign the interfaces to the bridge group, So interface gig, Zero, Zero, And if we just do a question mark, We can see that we've got a command here bridge group, So we can actually specify which bridge group this physical interface Will belong to so we'll just do bridge group one and then the save for interface, Gig, Zero, One and that's gonna be bridge group one as well, So we'll just do short name. If we got the two interfaces and if we do show bridge group one, We can see that we've got bridge group one in the faces that I've signed is gig, Zero, Zero and zero one and that's pretty much it. So what I'm gonna do is I'm just going to enable login, Because we'll need this in a minute, Login and we'll just enable debugging on that serve that config and, As I said, The switch and the vpc should already be configured. So if we just do a sure, So this is for vpc4, Which is here so you can see, We've got an ip address of 1010 and the gateway is 103.
So that's going to be the switch. We can verify that . So vlan 10 on switch 2 is 103 and then, If we look at vpc 5, That's gonna ip address of 1011 with a gateway of 101. So let's have a look at switch one , So we can see that vpc five as the gateway on switch one.
So, Let's just try before we try and actually get across to hvpc, Let's try and ping the gateways and just make sure so ppc five we're going to ping 19216810, One which is all well and good and then we'll see if we can reach the gateway for Ppc4, Which is 192168103 , So that's good as well excellent. So now, If we recall the security levels, So if you just do sure name if we can see that gig zero zero as a security level of zero. So this is this interface connecting to vpc five, And you can see that gig zero one has a security level of 100 which is connecting to vpc4. So by default we should be able to well.
No, We shouldn't be able to ping until we have enabled icmp inspection, So one size, Cmp inspection is enabled I'll. Just do this quickly, We should be able to ping from vpc4 to vpc5, But vpc5 shouldn't be able to ping v pc4 because of the security level. So we'll just test that in a minute. Let me just enable this quickly, Inspection and, Let's say, Inspect icmp. The rightman on that, Let's just do show login, Include tonight. So there's not been denied there at the moment.
So, As I said from vpc4, We should be able to ping vpc5 without any problems. So let's try that ping 192 168 1011 and we can see that that's fine. We have no denies on the asa, That's the one that's being used and then that's a short-lived connection, So it works out there and then, As I say, From vpc five. This should be denied, So let's try and ping 1921681011. Sorry, That's pinging itself 1010.
Rather we can see there that that's not permitted. So if we have a look at the logs on the firewall, We can see that we're getting denies and that's from 1011 to inside 1010. So to allow that traffic we would need to create an acl. So we can do that now.
Let's call it access list outside and then we'll do permit icmp from 1921681011 specify the net mask, So it's cost and then going to 1921681010 all right, Two five, Two five and then , So we'll do access group outside and the traffic's coming. Inbound interface is outside and then that's done, Cool! So if we try now to ping again, Let's see what we get . So now we can see that that floor is the rule on the firewall so that just the denies that are going from earlier. So now, If we sure run access list, We can see our access list there so sure access list.
You can see that access list there configured. So we can see that none of being denied . So that's simply how you configure the asa in transparent mod. That's a very quick demonstration of how to do so. If you found the content useful and if you've got any questions, Feel free to drop me. A comment in the comment section or on any of my social media platforms.
Cisco CCNP 300-410 Dumps that Questions and Answers with Explanations Answers that Have Been Checked And Confirmed By Subject Matter Experts. EveDumps Guaranteed to Pass with a Perfect Score Over many satisfied customers. A success rate of 99 percent Free Update. You will get a discount of 20%. PDF and VCE Test Engine are also included.