Introduction
You want to segregate the network between users and servers network. Both the users and servers network is using the same subnet 192.168.20.0/24, to reduce the changes while implementing firewall and to test the firewall before it is deployed in between users and servers you have decided to do the following:
1. Use transparent firewall – This will allow the servers and users IP address remain unchange. The security zones are segregated based on layer 2 vlan tags, an additional vlan is defined as trusted/inside, while the existing vlan is defined as untrusted/outside. These two vlans are then bridged together.
2. Use SwitchPort ANalyzer (SPAN) and send the mirrored traffic to two interfaces of the transparent firewall. The transparent firewall interfaces have already had their security level defined.
SPAN session
SPAN or port mirroring is commonly used for troubleshooting, whereby the SPAN destination port is sent to protocol analyzer (wireshark) or sent to Intrusion Detection System (IDS), in this scenario the mirrored traffic is sent to the transparent firewall for inbound and outbound sessions.
Original deployment plan
Originally between user and server there is no restriction, you need to deploy the firewall to control the traffic between these hosts.
This is the original plan, vlan 20 and vlan 21 are bridged together. Server will change its vlan membership from vlan 20 to vlan 21, IP address of server is remained unchanged. When traffic from user is sent to server, the traffic goes through the transparent firewall, the transparent firewall will tag vlan 20 and vlan 21, the traffic destined to server after it goes through firewall will change tag from vlan 20 to vlan 21.
The purpose of transparent firewall is to protect the servers network, fa0/23 is the choke point that connects to the servers. Two SPAN sessions are created, both SPAN source is fa0/23, and the destination ports are fa0/21 and fa0/22. One SPAN session is transmit and send to fa0/21, this is the inbound traffic that is destined to the server. Another SPAN session is receive and send to fa0/22, this is the outbound traffic that is the traffic sent from the server.
Switch configuration
monitor session 1 source interface Fa0/23 tx monitor session 1 destination interface Fa0/21 monitor session 2 source interface Fa0/23 rx monitor session 2 destination interface Fa0/22
The SPAN destination port will be up down status.
mgmt_sw#sh int fa0/21 | in line protocol FastEthernet0/21 is up, line protocol is down (monitoring) mgmt_sw#sh int fa0/22 | in line protocol FastEthernet0/22 is up, line protocol is down (monitoring)
You should see the destination interface to keep sending out mirrored traffic.
mgmt_sw#sh int fa0/21 | in line protocol|packets output.*bytes FastEthernet0/21 is up, line protocol is down (monitoring) 9566 packets output, 754885 bytes, 0 underruns mgmt_sw#sh int fa0/21 | in line protocol|packets output.*bytes FastEthernet0/21 is up, line protocol is down (monitoring) 9624 packets output, 759435 bytes, 0 underruns mgmt_sw#sh int fa0/21 | in line protocol|packets output.*bytes FastEthernet0/21 is up, line protocol is down (monitoring) 9632 packets output, 760059 bytes, 0 underruns
Transparent firewall configuration
For this scenario, ASA5505 is used. ASA5505 configuration is a bit different from typical models of ASA. By default firewall is in router mode, to change from router to transparent use the command firewall transparent. Executing this command will reset your previous configuration to default, you should be awared to backup previous configuration before changing firewall mode.
ciscoasa(config)# sh firewall Firewall mode: Transparent
Create additional vlan 21 and bridge vlan 20 and vlan 21.
interface vlan 21 nameif inside bridge-group 2 interface vlan 20 nameif outside bridge-group 2
Assign IP address to the bridge virtual interface.
interface bvi2 ip address 192.168.20.254 255.255.255.0
Check the IP address.
ciscoasa(config)# sh int ip brief | in 192.168.20.254 Vlan20 192.168.20.254 YES unset up up Vlan21 192.168.20.254 YES unset up up BVI2 192.168.20.254 YES manual up up
If you cannot see the IP address for your bridged interfaces, check if the interfaces have assigned nameif or not.
The entire configuration needed for ASA5505
! interface BVI2 ip address 192.168.20.254 255.255.255.0 ! interface Vlan20 nameif outside bridge-group 2 security-level 0 ! interface Vlan21 nameif inside bridge-group 2 security-level 100 ciscoasa# sh run int e0/0 ! interface Ethernet0/0 switchport access vlan 20 ! interface Ethernet0/1 switchport access vlan 21
See the result
The denied IP events are generated because by default outside interface drops unsolicited traffic. Although there are denied IP events, the traffic between user and server is not disrupted.
To test the firewall, I inserted a rule to allow 192.168.20.2 to 192.168.20.1 and applied the rule at the outside interface inbound.
TCP state bypass
The TCP state bypass option originally is to solve problem during asymmetric routing the firewall drops the traffic because the TCP state was not available.
The test firewall is not in the flow of traffic, if you do not enable TCP-state-bypass option your firewall event will fire an event known as “Denied by Security Policy”, and the description is “deny tcp (no connection) from XXXXX to XXXXX flag XXX”.
This traffic is dropped because in firewall state table there is no TCP state that expects a TCP ACK to return.
To make the firewall rule testing easier to observe, you can turn on tcp-state-bypass option in the policy map and apply the policy to both inside and outside interfaces.
Step 1: Create an ACL
!This is for inbound traffic source from 192.168.20.2 to 192.168.20.1 access-list tcp-bypass-in extended permit ip host 192.168.20.2 host 192.168.20.1 !This is for outbound traffic source from 192.168.20.1 to 192.168.20.2 access-list tcp-bypass-out extended permit ip host 192.168.20.1 host 192.168.20.2
Step 2: Create a class-map that matches the ACL.
! class-map tcp-bypass-out-class match access-list tcp-bypass-out class-map tcp-bypass-in-class match access-list tcp-bypass-in class-map inspection_default match default-inspection-traffic !
Step 3: Create policy map and use the class map created, set the connection option tcp-state-bypass in the policy map.
! policy-map tcp-bypass-in-policy class tcp-bypass-in-class set connection advanced-options tcp-state-bypass ! policy-map tcp-bypass-out-policy class tcp-bypass-out-class set connection advanced-options tcp-state-bypass
Step 4: Apply the policy to inside and outside interfaces.
service-policy tcp-bypass-in-policy interface outside service-policy tcp-bypass-out-policy interface inside
When FTP is connected.
When FTP request for file started.
outbound traffic, for the inside host, the default is used i.e. host from higher security level to lower security level will be allowed by default.
What if ASA has a lot of interfaces and passes through a lot of traffic.
Hi, your scenario is not very specific. You should plan out what security zone you want to assign your ASA interfaces. If your traffic is a lot, you can use SPAN filter to filter the to the specific IP address or subnet you need to test. If your source is a trunk interface, you can filter the specific vlan you want to test.