ASA 5510 Transparent Firewall and VPN

Posted on 2006-04-20
Last Modified: 2013-11-16

I have a RadWare LinkProof Branch load balancing device performing NAT on my network. I am plan to introduce a ASA 5510 between my network and the LinkProof branch. I was thinking about configuring the ASA in a Transparent Firewall mode..

a. Where can I find a good Transparent mode configuration example with access lists

b. Can I also use the ASA as a VPN server (would like to use WebVPN on the ASA) when configured in a transparent mode?

Question by:netman70
    LVL 9

    Expert Comment

    a) Try the following links:

    b) Nope, you can't terminate webvpn on the ASA  in transparent mode. VPN is not supported in transparent mode unless the VPN you are terminating is for the purpose of managing the PIX itself.

    Author Comment

    The link does not give me a configuration example...just tells me who it functions. I would like to see a configuration example with access lists for reference.

    Thanks for the clarification on I configure one of the two 2003 DC's on my network for VPN?

    Author Comment

    Cisco document indicates that (configuring transparent firewall) 'because the non-tcp and non-udp packets do not create sessions, the security appliance must be configured for ACL's on both interfaces'. Does that imply that I have to configure a 'access-list inside-in extended permit ip any any' and apply it to the inside interface to allow all traffic from the internal LAN to the internet?
    LVL 9

    Accepted Solution

    No. For clients to access the internet, you dont have to have an access-list applied on the inside interface. The only time you have to explicitly allowed traffic thru ACL on transparent mode is if you need to pass IPX, Routing protocols, BPDU and other non-ip traffic. Here's a sample config that will allow host on the to get internet access and allow internet users access to webserver:

    |------------------------|                       router-----internet PC)-------|

    Webserver's default gateway and client PC is pointed to the router( and not the PIX

    Relevant Router config:

    ip nat inside source static ---> static for webserver
    access-list 1 permit
    ip nat inside source list 1 interface serial0 overload --> internet access for the rest of the network

    PIX config:

    interface gigabitethernet 0/0
        nameif outside
        security-level 0
        no shutdown

    interface gigabitethernet 0/1
        nameif inside
        security-level 100
        no shutdown

    passwd xxxxxxxx
    enable password xxxxxxxxxx
    ip address
    route outside
    access-list web_acl remark Allows internet users access to webserver
    access-list web_acl permit tcp any host eq 80
    access-list web_acl permit tcp any host eq 443
    access-group web_acl in interface outside

    The good thing about transparent firewall is that you can put it anywhere in your network without having to redo your
    IP addressing scheme.

    Featured Post

    What Security Threats Are You Missing?

    Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

    Join & Write a Comment

    Suggested Solutions

    Wikipedia defines 'Script Kiddies' in this informal way: "In hacker culture, a script kiddie, occasionally script bunny, skiddie, script kitty, script-running juvenile (SRJ), or similar, is a derogatory term used to describe those who use scripts or…
    To setup a SonicWALL for policy based routing to be used with the Websense Content Gateway there are several steps that need to be completed. Below is a rough guide for accomplishing this. One thing of note is this guide is intended to assist in the…
    Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
    Internet Business Fax to Email Made Easy - With eFax Corporate (, you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…

    745 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now