This had been answered some time ago: http://www.onlinestudylist.com/archives/ccie_security/2011-July/027319.html
Here it goes: 2011/7/12 Peter Debye <pdebye at gmail.com> > On a classical transparent bridge neither IP address would be needed > to pass traffic. > But cisco ASA uses somewhat special handling for unknown destination > unicast > flooding: if the destination MAC is not in the table then ASA arp's and > ping's > for the destination IP to find out which interface it to send the > frame. For this > some IP is needed, and therefore it must be configured. > Also, in multi-context mode the IP of each context is used to classify > incoming frames. > > I can argue however that arping and pinging is probably not a best > solution: > -- what about the non-IP frames? > -- since the transparent FW can only have two interfaces (ports) what > could be the the problem sending the unknown MAC frame out the other > interface always, like a classical 2-port transparent bridge would do? > > P. > ================================== > > > On Tue, Jul 12, 2011 at 4:09 PM, Piotr Matusiak <piotr at howto.pl> wrote: > > > >> Let me ask a tricky questions then: > >> What if I configure IP address on m0/0 interface and will use it for > >> management? > >> Is configuring IP address in global config mode still required? > >> > >> Regards, > >> Piotr > >> > ========================================================= Date: Wed, 28 Mar 2012 13:42:24 +0000 From: Ben Shaw <[email protected]> To: CCIE Study List <[email protected]> Subject: Re: [OSL | CCIE_Security] ASA Transparent FW - System vs Management IP Message-ID: <[email protected]> Content-Type: text/plain; charset="iso-8859-1" Can anyone give me more information on why an ASA in transparent mode uses two IP addresses (global and management) when a layer 2 switch gets by with only for its management tasks? Is the second IP address required for some additional functionality for the ASA? I mean an ASA in Routed mode does not need more IP addresses than a router for it's management so why does a transparent firewall need more IP addresses than a switch? From: [email protected] To: [email protected] CC: [email protected] Subject: RE: [OSL | CCIE_Security] ASA Transparent FW - System vs Management IP Date: Mon, 26 Mar 2012 07:44:54 +0000 Thanks Marta, the design just seems a bit bizarre to me. I had an understanding of what the System IP was for but wondering why it needed to be done like that. I mean, the System IP address can effectively place an IP address on the same layer 2 broadcast domain as those networks being bridge making the ASA reachable via hosts either side of the transparent firewall. I don't know why one would need let alone want this to the case, especially considering the fact the ASA has another IP address for the management interface which should be on a seperate OOB management network. Why wouldn't the firewall just use the management interface/IP address that can then be connected to a dedicated management network for use as the source for AAA, syslog etc. I suppose I am comparing the operating of a Layer 2 switch which bridges layer 2 networks but has one Layer 3 ip address for its management interface. There is no need for an second layer 3 address on a layer 2 switch for management purposes, the single layer 3 address is sufficient for all management requires such as SSH, AAA, Syslog, SNMP etc. When compared in this way to a layer 2 switch, I just don't see why the ASA needs two IP addresses for management when in transparent mode when it can all be done with one from what I can see. Any thoughts on this? Thanks Date: Mon, 26 Mar 2012 09:22:11 +0200 Subject: Re: [OSL | CCIE_Security] ASA Transparent FW - System vs Management IP From: [email protected] To: [email protected] CC: [email protected] Having System IP address is a must for transparent FW configuration on Cisco ASA. Additionally, you can configure Management interface as a dedicated management interface, but to my knowledge Cisco ASA will not use it's address instead of System IP address. The security appliance uses System IP address as the source address for packets that originate on the security appliance, such as system messages or AAA communications. Management interface will be a management-only interface. Marta Sokolowska. 2012/3/26 Ben Shaw <[email protected]> Hi All can someone explain to me the difference between the System IP and Management IP address when configuring an ASA as a transparent firewall? I can't see why the firewall would need a System IP address configured with the global command below TRANFW(config)# ip address global_ip_add subnet_mask when the firewall already has a Management IP address configured with the command below TRANFW(config)# interface Management0/0 TRANFW(config-if)# nameif MGMT TRANFW(config-if)# security-level 100 TRANFW(config-if)# ip address mgmt_ip_add subnet_mask The management IP defined on Management0/0 allows me to SSH to the device via the management network so why is there a need for a global ip address which when configured is applied to both interfaces paired for transparent firewalling as shown below TRANFW(config)# sh int ip brief Interface IP-Address OK? Method Status Protocol Ethernet0/0 global_ip_add YES unset up up Ethernet0/1 global_ip_add YES unset up up Ethernet0/2 unassigned YES unset administratively down up Ethernet0/3 unassigned YES unset administratively down up Management0/0 mgmt_ip_add YES manual up up Any information on why both these are required would be appreciated as the firewall will not pass traffic until it is defined with a Global IP address. Thanks Simon _______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
