Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1972
  • Last Modified:

ASA 5510 Transparent Firewall and VPN


I have a RadWare LinkProof Branch load balancing device performing NAT on my network. I am plan to introduce a ASA 5510 between my network and the LinkProof branch. I was thinking about configuring the ASA in a Transparent Firewall mode..

a. Where can I find a good Transparent mode configuration example with access lists

b. Can I also use the ASA as a VPN server (would like to use WebVPN on the ASA) when configured in a transparent mode?

  • 2
  • 2
1 Solution
a) Try the following links:


b) Nope, you can't terminate webvpn on the ASA  in transparent mode. VPN is not supported in transparent mode unless the VPN you are terminating is for the purpose of managing the PIX itself.
netman70Author Commented:
The link does not give me a configuration example...just tells me who it functions. I would like to see a configuration example with access lists for reference.

Thanks for the clarification on VPN...do I configure one of the two 2003 DC's on my network for VPN?
netman70Author Commented:
Cisco document indicates that (configuring transparent firewall) 'because the non-tcp and non-udp packets do not create sessions, the security appliance must be configured for ACL's on both interfaces'. Does that imply that I have to configure a 'access-list inside-in extended permit ip any any' and apply it to the inside interface to allow all traffic from the internal LAN to the internet?
No. For clients to access the internet, you dont have to have an access-list applied on the inside interface. The only time you have to explicitly allowed traffic thru ACL on transparent mode is if you need to pass IPX, Routing protocols, BPDU and other non-ip traffic. Here's a sample config that will allow host on the to get internet access and allow internet users access to webserver:

|------------------------|                   router-----internet PC)-------|

Webserver's default gateway and client PC is pointed to the router( and not the PIX

Relevant Router config:

ip nat inside source static ---> static for webserver
access-list 1 permit
ip nat inside source list 1 interface serial0 overload --> internet access for the rest of the network

PIX config:

interface gigabitethernet 0/0
    nameif outside
    security-level 0
    no shutdown

interface gigabitethernet 0/1
    nameif inside
    security-level 100
    no shutdown

passwd xxxxxxxx
enable password xxxxxxxxxx
ip address
route outside
access-list web_acl remark Allows internet users access to webserver
access-list web_acl permit tcp any host eq 80
access-list web_acl permit tcp any host eq 443
access-group web_acl in interface outside

The good thing about transparent firewall is that you can put it anywhere in your network without having to redo your
IP addressing scheme.

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now