ASA 5510 Transparent Firewall and VPN

hi

I have a RadWare LinkProof Branch load balancing device performing NAT on my network. I am plan to introduce a ASA 5510 between my network and the LinkProof branch. I was thinking about configuring the ASA in a Transparent Firewall mode..

a. Where can I find a good Transparent mode configuration example with access lists

b. Can I also use the ASA as a VPN server (would like to use WebVPN on the ASA) when configured in a transparent mode?

Thanks
netman70Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

stressedout2004Commented:
a) Try the following links:

http://www.cisco.com/en/US/products/ps6120/products_configuration_guide_chapter09186a0080450b68.html#wp1201980

b) Nope, you can't terminate webvpn on the ASA  in transparent mode. VPN is not supported in transparent mode unless the VPN you are terminating is for the purpose of managing the PIX itself.
0
netman70Author Commented:
The link does not give me a configuration example...just tells me who it functions. I would like to see a configuration example with access lists for reference.

Thanks for the clarification on VPN...do I configure one of the two 2003 DC's on my network for VPN?
0
netman70Author Commented:
Cisco document indicates that (configuring transparent firewall) 'because the non-tcp and non-udp packets do not create sessions, the security appliance must be configured for ACL's on both interfaces'. Does that imply that I have to configure a 'access-list inside-in extended permit ip any any' and apply it to the inside interface to allow all traffic from the internal LAN to the internet?
0
stressedout2004Commented:
No. For clients to access the internet, you dont have to have an access-list applied on the inside interface. The only time you have to explicitly allowed traffic thru ACL on transparent mode is if you need to pass IPX, Routing protocols, BPDU and other non-ip traffic. Here's a sample config that will allow host on the 192.168.1.0/24 to get internet access and allow internet users access to webserver:

|------------------------192.168.1.0/24------------|                          

192.168.1.2(webserver)--switch-----(1.254)-PIX-----(1.1)-Internet router-----internet
192.168.1.3(client PC)-------|

Webserver's default gateway and client PC is pointed to the router(192.168.1.1) and not the PIX
                                               

Relevant Router config:

ip nat inside source static 192.168.1.2 1.1.1.1 ---> static for webserver
access-list 1 permit 192.168.1.0 0.0.0.255
ip nat inside source list 1 interface serial0 overload --> internet access for the rest of the network

PIX config:

interface gigabitethernet 0/0
    nameif outside
    security-level 0
    no shutdown

interface gigabitethernet 0/1
    nameif inside
    security-level 100
    no shutdown

passwd xxxxxxxx
enable password xxxxxxxxxx
ip address 192.168.1.254
route outside 0.0.0.0 0.0.0.0 192.168.1.1
access-list web_acl remark Allows internet users access to webserver
access-list web_acl permit tcp any host 192.168.1.2 eq 80
access-list web_acl permit tcp any host 192.168.1.2 eq 443
access-group web_acl in interface outside

The good thing about transparent firewall is that you can put it anywhere in your network without having to redo your
IP addressing scheme.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.