Making Watchguard Firewall visible behind Cisco ASA 5510

I have a Cisco ASA 5510 which is connected to the internet - this is my only internet connection - I have a watchguard firewall which I would like to make visible outside the ASA and have the VPN traffic flow inside, along with other types of NATs.  I'm not sure how to make the outside address of the Watchguard visible though  the ASA and allow all the traffic to flow freely though the Watchguard.  Can someone point me in the right direction.  I know I need the following ports open for this to happen

    UDP port 500 (IKE)
    UDP port 4500 (NAT Traversal)
    IP protocol 50 (ESP)

I have access to both ASDM and putty.
WellingtonISAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
most likely you need to setup ASA as transparent firewall
Even though the transparent mode acts as a bridge, Layer 3 traffic, such as IP traffic, cannot pass through the security appliance unless you explicitly permit it with an extended access list. The only traffic allowed through the transparent firewall without an access list is ARP traffic. ARP traffic can be controlled by ARP inspection.

In routed mode, some types of traffic cannot pass through the security appliance even if you allow it in an access list. Alternatively, the transparent firewall can allow any traffic through with either an extended access list (for IP traffic) or an EtherType access list (for non-IP traffic).
You can pass VPN traffic through the security appliance with an extended access list, but it does not terminate non-management connections.
!--- In order to set the firewall mode to transparent mode

firewall transparent
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/97853-Transparent-firewall.html
0
pgolding00Commented:
transparent mode is one way to approach this. alternatively the asa can remain in routed mode. for routed mode, there are two options - either the firebox will have an ip address in the public range (same subnet as the asa), or firebox can be in the subnet of the asa inside.

depending on the code version of asa, use static and access-lists (ver 8.3 and earlier), or use nat with access-list (beyond 8.3). the aim will be to translate one public address to one private address if the firebox is in the inside subnet. or, if the firebox has a public address, the asa translation becomes an identity translate (ie translate to the same address inside and outside (<8.3) or same before and after (>8.3). if firebox has public address, it may require a static arp entry for its default gateway, which will be the asa inside mac address.

the access list part is where the permitted traffic is defined.
0
btanExec ConsultantCommented:
indeed, as shared in the link too. in summary it is do-able and in common is both mode require access lists to allow any traffic through the security appliance, except for ARP packets, which are allowed automatically. Having access-list configured correctly to allow vpn traffic is important, focus on single public interface and single internal interface for effecting the access-list..

Ref (Examples of transparent and routed mode)
http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/fwmode.html#wp1223203

But note that in routed mode, some types of traffic cannot pass through the security appliance even if you allow it in an access list. The transparent firewall, however, can allow any traffic through using either an extended access list (for IP traffic) or an EtherType access list (for non-IP traffic). However, transparent mode does not pass CDP packets.

Ref (Guidelines and limitations)  http://www.cisco.com/c/en/us/td/docs/security/asa/asa82/configuration/guide/config/fwmode.html#wp1222826

In enable mode try " show firewall " it should indicate whether it is in transparent, Multiple context (virtualised) or single firewall mode (default).
0
Hey MSSPs! What's your total cost of ownership?

WEBINAR: Managed security service providers often deploy & manage products from a variety of solution vendors. But is this really the best approach when it comes to saving time AND money? Join us on Aug. 15th to learn how you can improve your total cost of ownership today!

WellingtonISAuthor Commented:
the firewall is in routed mode. Not being that advanced in ASA's I do have site to site VPN's and some access lists on the actual ASA it self.  I have my Websense going though this too.  In addition I have NATs running for the site to site VPNs. If I change the firewall to transparent mode will this effect the other traffic?  Also, If I'm understanding this correctly, there's only I IP address and everything would need to point to that outside address?
0
btanExec ConsultantCommented:
The transparent is not supposed to have any big impact assuming no access-list enforced yet since this mode is supposed to let all traffic protocol pass through. But as I shared earlier, there may be some protocol not supported unless you state the explicit rule list
Even though the transparent mode acts as a bridge, Layer 3 traffic, such as IP traffic, cannot pass through the security appliance unless you explicitly permit it with an extended access list. The only traffic allowed through the transparent firewall without an access list is ARP traffic. ARP traffic can be controlled by ARP inspection.
0
WellingtonISAuthor Commented:
Well will this allow me to have an independent IP for the Watchguard? I'd like that to be seen outside?
the IP for the ASA has /30 subnet however, my Public IP's have /28 subnet so I'm not sure I can even do this.  I think my best solution would be translate to the same address inside and outside (<8.3) or same before and after (>8.3). if firebox has public address, it may require a static arp entry for its default gateway, which will be the asa inside mac address - I just need some reference material on how to accomplish this..
0
pgolding00Commented:
see table 4.1 from the link posted by wellingtonis: vpn termination is not supported when working in transparent mode for through traffic - which sounds like one of the requirements? also not sure if nat functions in transparent.

you are correct that in transparent mode, everything done by the asa will be with reference to a single ip address.

please clarify what is meant by "independent ip for the watchguard"?

from the later comment, it seems the public addresses are /30, which would mean there are no free addresses in that range as the asa will have one and the providers router will have the other. so there is some other public address routed to the asa address by the provider? are the /28 and /30 ranges overlapping? do you wish to have one of the /28 addresses on the watchguard? do you know if the provider is using /28 or /30 on their router?

if unsure about these questions, please post the asa interface configurations and the routing configuration. you can xxx out the first two octets of addressing to maintain security.
0
btanExec ConsultantCommented:
For the VPN termination for through traffic, the transparent firewall supports site-to-site VPN tunnels for management connections only. It does not terminate VPN connections for traffic through the security appliance. You can pass VPN traffic through the security appliance with an extended access list, but it does not terminate non-management connections.

Also note that unlike routed mode, where ASA will require an IP address for each interface, when it is in a transparent mode type, this FW has an IP address assigned to the entire device. In other words, this mode supports only two interfaces (inside and outside). Looks like this can be consider an independent IP for watchguard then.

So I see it still possible for your use case...see this example http://ciscoasafirewall.blogspot.sg/2011/06/cisco-asa-firewall-in-transparent.html
0
WellingtonISAuthor Commented:
Independent meaning my IP for the ASA is 69.80 79,x,/30 and my public IP's are 69.80.70.x/28 so they are not exactly on the same subnet.  I need to have an different IP for each device in this case my Watchguard Firewall and I'm going to need different Public IP's for the devices that are currently being NATed via the Watchguard too.  I'm hoping once I get the Watchguard IP public I'll be able to get the other NATs routed too.  All my Public IPs have to be visible via the Watchguard too.
0
btanExec ConsultantCommented:
If that is the case, ASA in transparent can only take one IP only unlike routed mode which can exposed each interface of ASA, which those interfaces can be "exposing" the public addresses of WG public IPs.
0
WellingtonISAuthor Commented:
That why I need to have this is routed mode.  I'm just not sure of the method to nat the public IP to the public IP of the Watchguard. Or the public IP to the internal IP of the watchguard.  But my end result needs to be the Traffic gets routed via the ASA to the Watchguard for VPN and other access.  I plan on adding it to the  current ASA it's not set up yet.
0
btanExec ConsultantCommented:
I was still thinking transparent for multiple context e.g "Example 4: Multiple Mode, Transparent Firewall with Outside Access "
http://www.cisco.com/c/en/us/td/docs/security/asa/asa70/configuration/guide/config/examples.html#wp1010043
Just that we need to play by below:
-For multiple context mode, each context must use different interfaces; you cannot share an interface across contexts.
-For multiple context mode, each context typically uses a different subnet. You can use subnets that overlap, but your network topology requires router and NAT configuration to make it possible from a routing standpoint.
0
WellingtonISAuthor Commented:
so then I need to go to transparent mode instead of routed? and this will allow my Watchguard Firewall to do what it needs to? Just so you know I have  VPN that goes though my Watchguard and 4 static nats for a total of 5 IP's I'm going to need "exposed"
0
pgolding00Commented:
this solution is becoming far more complex than it needs to be. if the requirements of the solution include termination of vpn at the asa, then transparent mode is not an option. multiple contexts are useful where multiple appliances might provide an alternative solution - which does not seem to be the case here?

given the requirement is to pass public ip addresses to a device behind the asa, routed mode is quite capable.

to do so, imagine the firebox has 69.80.70.49/28 in the subnet 69.80.70.48/28. the asa has 69.80.79.1/30 on the outside and the provider is 69.80.79.2/30. there are two choices - to use 69.80.70/28 on the asa's inside, or to use a private address space for the inside. if the public range is used on the inside, then for <8.3 software,
interface ethernet0/0
  nameif outside
  security-level 0
  ip address 69.80.79.1 255.255.255.252

interface ethernet0/1
  nameif inside
  security-level 100
  ip address 69.80.70.58 255.255.255.240

route outside 0 0 69.80.79.2

static (inside,outside) 69.80.70.49 69.80.70.49 netmask 255.255.255.255 dns

access-list incoming extended permit ip any host 69.80.70.49

access-group incoming in interface outside

Open in new window

and thats it! the firebox default gateway will be 69.80.70.58.

now if the inside network is to be private address space, the interface config for ether0/1 will change and the firebox can be given a static arp entry for 69.80.70.58 pointing to the asa mac address (found from "show int")

if the version is >8.4, static is no longer used. it will become an object nat command and may depend on if the inside is using public or private addressing. there are too many variables to provide the full config for every option. if some of these can be confirmed a more complete example can be provided. eg code version, ip addressing for the inside interface, address for provider, protocols and ports to be passed to firebox.
0
btanExec ConsultantCommented:
I go with routed and for pgolding00. the multiple context does can work out as well though as per the example shared. If need to can even go into bridge group in this example. But I shall not make it further complicated. key is vpn cannot terminate at asa in transparent..it need to pass through vpn into WG
0
WellingtonISAuthor Commented:
thanks for clearing that up.  I'll take a good look at that and try to implement it.  The only question I have is for the rest of the NAT that are on the Watchguard,  will I need to do anything or will the traffic just pass though?
0
pgolding00Commented:
if there are other public addresses natted on the wg then they will require the same treatment - no different to the wg's own address. just adjust the asa access list to permit the appropriate traffic for each nat.

if these other nat's are port based translations (eg public address a.b.c.d with tcp port 80 translates to inside address j.k.l.m tcp port 80) and a.b.c.d port 443 translates to *not* j.k.l.m port 443, then all this setup needs to be replicated on the asa too. if on the other hand all a.b.c.d translates to j.k.l.m then a one to one address mapping will be fine. once again without any detail its difficult to be precise.
0
WellingtonISAuthor Commented:
OK I have to then replicate this on the ASA. - That's a tall order but thanks for the help.
0
pgolding00Commented:
does the wg really have to be behind the asa? giving its outside direct access to the internet might save all this work, and it is a firewall after all?

failing that, can some of the functions of the wg be migrated to the asa, so that there is less duplication? longer term that will be more reliable, because one day someone will forget that both devices have to be updated for every change. you dont need to answer these questions here - just food for thought.

good luck!
0
WellingtonISAuthor Commented:
Is there a better way to do this?  It seem like I'm going to be doubling the work between the ASA and the WG?  I'm wondering I somehow I can set them up side by side with a different public IP on each?
0
pgolding00Commented:
absolutely. if the provider routes the /28 range over the same wan service as the /30 then the traffic will arrive where it should.

a dedicated switch with the provider service and the two firewall outside interfaces connected is the safest way. failing that, a vlan with no ip address set up on an existing switch will do the job, but is more of a security risk. not configuring any ip on a switch sitting outside the firewalls effectively makes it invisible from the internet.
0
WellingtonISAuthor Commented:
I'm looking into doing this now.  I never occurred to me that I'd be doubling up on the work load - my inexperience with this sort of stuff shows - but a good learning experience at that.  Thanks so much for all of your input.  I'll up date you as soon as I sort this out.
0
btanExec ConsultantCommented:
also in my context we do avoid having FW to FW unless other there is need to create an exterior DMZ including a interior DMZ for the different users and to control backend. the experience is the extra hop can be sensitive to certain live apps needing near real time. an application delivery controller acting as load balancer, app optimiser cum proxy filter, including as an appl aware FW (such as F5 LTM/ASM). It is kind of expensive switch but provided its resilience and proxy with script, and multiple context it still work out fine with the internal user/payers. Just a few cents worth.
0
WellingtonISAuthor Commented:
OK I'm working on this now..   they gave me an address space of 69.80.x.x/28 space - I've give the external ip on the WG of a different port connected to that Fiber.  60.80.x.x/28  do I use the 69.80.x.x (even though the subnet is /30 on that) gateway?
0
pgolding00Commented:
sorry, the question is not clear. assuming that you mean 69.80.x.x/28, not 60.80.x.x/28?

assuming both firewalls connected to the internet service directly, no nat thru the asa for access to the wg
if the isp router is 69.80.79.2./30 and asa outside is 69.80.79.1/30, then the isp should route 69.80.70.0/28 to the link rather than to a specific next hop address. connect the local end of the link to a switch and use one of the 69.80.70.0/28 addresses on the wg, with the asa and wg outside interfaces both connected to this switch. the inside of both firewalls connects to a different switch (or different vlan if you must do it that way).
0
WellingtonISAuthor Commented:
Actually I spoke with the ISP and they are going to change everything to one subnet because it's not routed properly.
0
pgolding00Commented:
much simpler way to go.
0
btanExec ConsultantCommented:
agree as well as internally in past we also has to hassled through due to compliance to ensure certain range is "exposed" externally while retaining the internal assignment so as not to conduct major overhaul and re-testing but target for single point of changes at the perimeter to do the translation...applies even if for Ipv6 to Ipv4 use case likewise...just some thoughts . thanks for sharing
0
WellingtonISAuthor Commented:
Right now I have to close this the only way to do this is to have the ISP change my subnet.  I thank you all for your suggestions they really helped but there is no one answer for this.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
WellingtonISAuthor Commented:
there' s no answer except to have the ISP change the subnet.  thanks everyone for your help.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Cisco

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.