Hi Peter thanks for the clarification. Your message does explain three things for me:
1. Why the firewall will not forward packets without the global IP defined 2. Why often the first ping to a host for which the ASA does not the MAC address times out - the ASA is itself ARPing and pinging for the host 3. Why the global IP needs to be configured on the same subnet as the bridged networks >From what I have read and been told however, the global IP is also used as a source address for AAA, syslog etc which didn't make much sense to me personally when I would have thought the IP address applied to the Management interface had this role. From your knowledge, is the global IP uses for any management tasks at all? Thanks Simon > Date: Wed, 28 Mar 2012 16:42:26 +0200 > Subject: ASA Transparent FW - System vs Management IP > From: [email protected] > To: [email protected] > CC: [email protected] > > This had been answered some time ago: > http://www.onlinestudylist.com/archives/ccie_security/2011-July/027319.html > > Here it goes: > > 2011/7/12 Peter Debye <pdebye at gmail.com> > > > On a classical transparent bridge neither IP address would be needed > > to pass traffic. > > But cisco ASA uses somewhat special handling for unknown destination > > unicast > > flooding: if the destination MAC is not in the table then ASA arp's and > > ping's > > for the destination IP to find out which interface it to send the > > frame. For this > > some IP is needed, and therefore it must be configured. > > Also, in multi-context mode the IP of each context is used to classify > > incoming frames. > > > > I can argue however that arping and pinging is probably not a best > > solution: > > -- what about the non-IP frames? > > -- since the transparent FW can only have two interfaces (ports) what > > could be the the problem sending the unknown MAC frame out the other > > interface always, like a classical 2-port transparent bridge would do? > > > > P. > > ================================== > > > > > On Tue, Jul 12, 2011 at 4:09 PM, Piotr Matusiak <piotr at howto.pl> wrote: > > > > > >> Let me ask a tricky questions then: > > >> What if I configure IP address on m0/0 interface and will use it for > > >> management? > > >> Is configuring IP address in global config mode still required? > > >> > > >> Regards, > > >> Piotr > > >> > > > ========================================================= > > Date: Wed, 28 Mar 2012 13:42:24 +0000 > From: Ben Shaw <[email protected]> > To: CCIE Study List <[email protected]> > Subject: Re: [OSL | CCIE_Security] ASA Transparent FW - System vs > Management IP > Message-ID: <[email protected]> > Content-Type: text/plain; charset="iso-8859-1" > > > Can anyone give me more information on why an ASA in transparent mode > uses two IP addresses (global and management) when a layer 2 switch > gets by with only for its management tasks? Is the second IP address > required for some additional functionality for the ASA? I mean an ASA > in Routed mode does not need more IP addresses than a router for it's > management so why does a transparent firewall need more IP addresses > than a switch? > > From: [email protected] > To: [email protected] > CC: [email protected] > Subject: RE: [OSL | CCIE_Security] ASA Transparent FW - System vs Management > IP > Date: Mon, 26 Mar 2012 07:44:54 +0000 > > Thanks Marta, > > the design just seems a bit bizarre to me. I had an understanding of > what the System IP was for but wondering why it needed to be done like > that. > > I mean, the System IP address can effectively place an IP address on > the same layer 2 broadcast domain as those networks being bridge > making the ASA reachable via hosts either side of the transparent > firewall. I don't know why one would need let alone want this to the > case, especially considering the fact the ASA has another IP address > for the management interface which should be on a seperate OOB > management network. > > Why wouldn't the firewall just use the management interface/IP address > that can then be connected to a dedicated management network for use > as the source for AAA, syslog etc. I suppose I am comparing the > operating of a Layer 2 switch which bridges layer 2 networks but has > one Layer 3 ip address for its management interface. There is no need > for an second layer 3 address on a layer 2 switch for management > purposes, the single layer 3 address is sufficient for all management > requires such as SSH, AAA, Syslog, SNMP etc. > > When compared in this way to a layer 2 switch, I just don't see why > the ASA needs two IP addresses for management when in transparent mode > when it can all be done with one from what I can see. > > Any thoughts on this? > > Thanks > > Date: Mon, 26 Mar 2012 09:22:11 +0200 > Subject: Re: [OSL | CCIE_Security] ASA Transparent FW - System vs Management > IP > From: [email protected] > To: [email protected] > CC: [email protected] > > Having System IP address is a must for transparent FW configuration on > Cisco ASA. Additionally, you can configure Management interface as a > dedicated management interface, but to my knowledge Cisco ASA will not > use it's address instead of System IP address. The security appliance > uses System IP address as the source address for packets that > originate on the security appliance, such as system messages or AAA > communications. Management interface will be a management-only > interface. > > Marta Sokolowska. > > 2012/3/26 Ben Shaw <[email protected]> > > > Hi All > > can someone explain to me the difference between the System IP and > Management IP address when configuring an ASA as a transparent > firewall? > > I can't see why the firewall would need a System IP address configured > with the global command below > > > TRANFW(config)# ip address global_ip_add subnet_mask > > when the firewall already has a Management IP address configured with > the command below > > > TRANFW(config)# interface Management0/0 > TRANFW(config-if)# nameif MGMT > TRANFW(config-if)# security-level 100 > > TRANFW(config-if)# ip address mgmt_ip_add subnet_mask > > The management IP defined on Management0/0 allows me to SSH to the > device via the management network so why is there a need for a global > ip address which when configured is applied to both interfaces paired > for transparent firewalling as shown below > > > TRANFW(config)# sh int ip brief > Interface IP-Address OK? Method Status > Protocol > > Ethernet0/0 global_ip_add YES unset up up > Ethernet0/1 global_ip_add YES unset up up > > Ethernet0/2 unassigned YES unset administratively down up > Ethernet0/3 unassigned YES unset administratively down up > > Management0/0 mgmt_ip_add YES manual up up > > Any information on why both these are required would be appreciated as > the firewall will not pass traffic until it is defined with a Global > IP address. > > > Thanks > Simon
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
