Friday, February 15, 2013

Configuring Cisco ASA Transparent Mode (Version 8.4 and Later)

The following post is based on ASA software version 8.4 and later.

With the release of ASA software version 8.4, Cisco added bridge-groups to the ASA which changed the way that transparent mode is configured. Now, you must assign VLAN interfaces to bridge-groups. Bridge-groups provide a means of isolating network traffic. Traffic from one bridge-group is not shared with other bridge-groups. Instead of just assigning a global IP address to the device for management, you now assign a management IP address to the Bridge Virtual Interface (BVI). This address is used not only for management, but as the source address for packets originating from the ASA such as AAA communications or syslog messages. Although I'm not going to cover IPv6 in this document, the ASA does support IPv6 in transparent mode.

The following video is based on this blog post:


Here is the configuration on an ASA 5505 (it will be similar for other models in the ASA family):

You must first enable transparent mode on the firewall. Before executing this command, ensure that you have a good backup of the existing configuration. This command will obliterate the existing configuration.

In configuration mode, execute the command firewall transparent:

ciscoasa# conf t
ciscoasa(config)# firewall transparent

Next, assign physical interfaces to VLANs using the switchport access command and enable the physical interfaces with the no shutdown command:

ciscoasa(config)# interface Ethernet 0/0
ciscoasa(config-if)# switchport access vlan 2
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# interface Ethernet 0/1
ciscoasa(config-if)# switchport access vlan 1
ciscoasa(config-if)# no shutdown

After configuring the physical interfaces, you must configure the VLAN interfaces by giving them names and assigning them to the same bridge-group:

ciscoasa(config-if)# interface vlan 2
ciscoasa(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ciscoasa(config-if)# bridge-group 1
ciscoasa(config-if)# interface vlan 1
ciscoasa(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscoasa(config-if)# bridge-group 1

(Notice that the ASA automatically assigns security levels based on the names inside and outside. If you choose to give the VLAN interfaces different names than inside and outside, you will have to manually assign a security-level of 100 to the inside interface and 0 to the outside interface.)

Now, you'll configure the management IP address through the Bridge Virtual Interface (BVI):

ciscoasa(config-if)# interface bvi 1
ciscoasa(config-if)# ip address 192.168.1.240

(Notice that I didn't explicitly assign a subnet mask to the BVI's IP address. The ASA can assign a default mask based on the class of the IP address. Since 192.168.1.240 is a Class C address, the ASA automatically assigns a 24-bit mask of 255.255.255.0. If you're using something other than a default subnet mask, you can specify it in dotted-decimal notation following the IP address.)

The transparent mode configuration is now complete and the ASA will pass traffic. If you want to use the graphical ASDM (Adaptive Security Device Manager) to manage the device, you must enable the HTTP server and specify which hosts are permitted to access the ASDM with the following commands:

ciscoasa(config-if)# http server enable
ciscoasa(config)# http 0.0.0.0 0.0.0.0 inside

The first command does what the syntax implies, it enables the server. The second command permits any host connected to the inside interface, regardless of its IP address, to use the HTTP server. You might want to narrow the address range by specifying either your network address (in this example, it would be 192.168.1.0 255.255.255.0) or the host address of your management workstation.

Here is a screen capture of the complete configuration:


Here is the configuration in a copy and paste format. Make sure you have a backup of your ASA's existing configuration, because these commands will clear and replace the existing config.  You've been warned!


conf t
firewall transparent
interface Ethernet 0/0
switchport access vlan 2
no shutdown
interface Ethernet 0/1
switchport access vlan 1
no shutdown
interface vlan 2
nameif outside
bridge-group 1
interface vlan 1
nameif inside
bridge-group 1
interface bvi 1
ip address 192.168.1.240
http server enable
http 0.0.0.0 0.0.0.0 inside


One thing to note about this configuration: Your inside hosts will have no means of obtaining an IP address from a DHCP server on the outside of the ASA. You have three options.

  • You can configure your inside hosts with static IP address
  • You can configure a DHCP server on the inside network
  • You can configure access-control lists on the ASA to allow DHCP requests and responses to be exchanged between DHCP clients on the inside network and a DHCP server on the outside network.

My general recommendation is that you configure a DHCP server on the inside network. It could be the ASA, which can function as a DHCP server in transparent mode, or a standalone server such as a computer running Windows or Linux.

2 comments:

phipse said...

I can not issue the switchport command on the interface. I have a Cisco ASA 5540, this doesn't work with the instructions above.

Unknown said...

The switchport command is used to assign physical interfaces to VLAN interfaces which are used on the 5505. The 5540 does not include the built-in switch which is included on the 5505. Use this link for more info about configuring transparent mode on a 5540: http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/interface_complete_transparent.html

Thanks for your question.