It is working perfectly with the same VLAN ID (eg: 1) on the Inside and Outside
From: Jason Madsen [mailto:[email protected]] Sent: 02 September 2012 03:10 AM To: Fawad Khan Cc: Steven van Jaarsveld; ccie_security Subject: Re: [OSL | CCIE_Security] Transparent Firewall With IPS Should be different on ASAs too. That's what I meant by unique on each interface e.g. VLAN 4 on inside and 94 on outside. Sent from my iPhone On Sep 1, 2012, at 5:42 PM, Fawad Khan <[email protected]<mailto:[email protected]>> wrote: So here is the thing I just deployed "virtual wire" palo alto network next gen firewall and that does require different vlan for Traffic to pass through. I must have mixed the two concepts. Sorry guys. On Saturday, September 1, 2012, Steven van Jaarsveld wrote: Same VLAN on both Interfaces (Inside and Outside) From: Fawad Khan [mailto:[email protected]<javascript:_e(%7b%7d,%20'cvml',%20'[email protected]');>] Sent: 02 September 2012 01:36 AM To: Steven van Jaarsveld Cc: Jason Madsen; ccie_security Subject: Re: [OSL | CCIE_Security] Transparent Firewall With IPS Unique vlan or different. I thought we need different vlan for traffic to pass through. On Saturday, September 1, 2012, Steven van Jaarsveld wrote: Hi All This is working now. I rechecked the Switch interfaces and the Interface connecting to the “Inside” Interface of the Transparent FW was configured as a Trunk. Changed this to an Access Port and traffic is passing through the Transparent FW now. Sending this email whilst connected to the LAN and going through both the Routed FW and the Transparent FW. Thanks for all the advice Regards Steven From: Jason Madsen [mailto:[email protected]]<mailto:[mailto:[email protected]]> Sent: 02 September 2012 12:58 AM To: Steven van Jaarsveld Cc: ccie_security Subject: Re: [OSL | CCIE_Security] Transparent Firewall With IPS You need a unique VLAN on the FW on IN and OUT. Jason Sent from my iPhone On Sep 1, 2012, at 4:02 PM, Steven van Jaarsveld <[email protected]<mailto:[email protected]>> wrote: Hi List I am trying to implement an ASA5520 with an AIM-SSP-20 IPS Module in transparent mode between an existing Cisco ASA FW that performs NAT and the client’s Internet Router. The reason the customer wants the IPS here is to scan the traffic that is destined for the Web Production DMZ. I have configured the ASA5520 with an IP Address in the same Subnet as the Subnet between the Internet Router and the Existing ASA but I am not getting any joy with passing traffic through the FW. I have disabled the IPS for now. Below is a diagram and the ASA configuration is attached <image003.png> Regards Steven -- FNK, CCIE Security#35578
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
