2010年8月23日 星期一

ASA - transparent mode

 

Switch vs. ASA

  • Separate Vlan

If same switch is used by ASA for outside and inside connection, then separate vlan is used for outside and inside interface.
If different switches are used by asa, then same vlan id can be used for inside and outside interface.
The principle is to make sure ASA is the only path for traffic to flow through, and not bypassed thru switch.

  • Unknown frame flooding process

-Switch floods the frame to all ports of the same vlan.
-ASA take advantage of ARP process to figure out the MAC, either forward if MAC is known or drop it if unknown.

  • Spanning-Tree

-Switch participates in SPT by default to prevent L2 loop.
-ASA does not participate SPT, thus L2 Loop prevention must be made/confirmed manually.

  • Level of frame processing

-Switch forward/filter frame at L2.
-ASA forward frame at L2 but filter/manipulate it from L2~L7.

Restriction of TP mode

  ■    Support only two interfaces (physical or VLAN).
  ■    IPSec vpn and WebVPN is not supported.
  ■    CDP (Cisco Discovery Protocol) and IPv6 packets are dropped.
  ■    Ethernet frames that don’t have a valid Ether-Type greater than or equal to 0x600 are dropped;
        Exception can be made by ether-type acl.
  ■    NAT is not supported untile version 8.
  ■    QoS with LLQ is not supported as a policy.
  ■    Routing is unsupported.

ARP inspection

  • ARP packet is allowed by default.
  • It solve the problem caused by spoofed arp reply or rogue gratuitous arp.
  • ARP  inspection  is  enabled  on  an  interface-by-interface  basis.
  • Drop packet when incorrect IP-MAC combination or source mac with wrong interface within arp reply.

Configuration

Enable transparent mode

asa(config)#firewall transparent

asa#show firewall

Configuring management IP

ass(config)# ip address IP_address [subnet_mask]  [standby IP_address]

MAC address table manipulation

assa# show mac-address-table

asa(config)# mac-address-table aging-time minutes

asa(config)# mac-address-table static logical_if_name mac_address

asa(config)# mac-learn logical_if_name disable

Ether-type ACL (non-IP traffic)

asa(config)# access-list ACL_ID ethertype {deny | permit} {ipx | bpdu | mpls-unicast | mpls-multicast | any | hex_#_of_protocol} [log]

ARP Inspection

asa(config)# arp-inspection logical_if_name enable [flood | no-flood]

asa(config)# arp logical_if_name IP_address MAC_address

asa# show arp-inspection

asa# show arp

ASA-Sequence of matching translation policy

 

1. Existing translation in xlate slot of translation table

2. best-match of NAT 0 (NAT exemption)

3. best-match of static NAT

4. best-match of static PAT

5. Policy NAT

6. General NAT

7. Drop if no match of the above.