Hello everyone. I know I’ve been neglecting this blog for too long. Can’t promise that things are going to change, but I have a good post for today.

I was recently exposed to some new technology while working with a customer. I had to learn it pretty quickly. This post is about a new feature in the Cisco ASA 8.4 code called Bridge Groups. This is essentially the addition of BVI interfaces, which have existed in IOS forever. This feature is useful when running an ASA transparently, but not physically inline. Running a firewall physically inline works well, but it can limit you to the number of available interfaces you have on each firewall. Adding physical interfaces to a firewall is expensive. This feature also saves you from using a context per firewalled VLAN on your ASA. Here we’ll use a 3750 for physical connectivity and use BVIs to force traffic through the firewall. Here is the physical topology:

I’m trying to convey quite a bit of information with this diagram. We have a layer 3 switch as the “core” and an ASA 5505 trunked to it. We have two hosts, PC1 and Server which are in VLAN 50 and VLAN 25, respectively. VLAN 26 is only for management of the ASA. VLAN 50 (and 2050) is where we’ll focus for this post. I’m going to start with the config here as I think it will make more sense when I try to explain.

3750 Config:

vlan 25
 name Servers
 
vlan 50
 name L2_Firewalled_Vlan50
 
vlan 2050
 name L3_Firewalled_Vlan50
 
interface GigabitEthernet1/0/5
 description ASA Inside
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 26,50
 switchport mode trunk
 spanning-tree portfast
 
interface GigabitEthernet1/0/7
 description ASA Outside
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 2050
 switchport mode trunk
 spanning-tree portfast
 
interface Vlan25
 description Servers-Media
 ip address 192.168.25.1 255.255.255.0
 
interface Vlan2050
 ip address 192.168.50.1 255.255.255.0

This config is pretty basic. We have created some VLANs, configured some trunks and SVIs, etc. The key thing to notice here is that there is no L3 for VLAN 50, the L3 for PC1 exists in VLAN 2050.

ASA Config:

firewall transparent
 
interface Ethernet0/1
 switchport trunk allowed vlan 26,50
 switchport mode trunk
 
interface Ethernet0/2
 switchport trunk allowed vlan 2050
 switchport mode trunk
 
interface Vlan26
 nameif management
 bridge-group 2
 security-level 100
 
interface BVI2
 ip address 192.168.26.5 255.255.255.0 
 
interface Vlan50
 nameif inside
 bridge-group 1
 security-level 100
 
interface Vlan2050
 nameif outside
 bridge-group 1
 security-level 0
 
interface BVI1
 ip address 1.1.1.1 255.255.255.0
 
access-list inside-in extended permit ip any any
 
access-group inside-in in interface inside
 
route management 0.0.0.0 0.0.0.0 192.168.26.1

This is where the magic happens. First, we configure the firewall in transparent mode, then we configure out interfaces and allow the necessary VLANs, 50 and 26 (management) on the e0/1, which is the “inside” interface, and 2050 on e0/2, which is the “outside” interface. We then configure VLAN 26 for management and add it to bridge group 2, which has an IP and default route configured at the bottom, again, this is for management only. Then we configure VLANs 50 and 2050 with 50 as inside and 2050 as outside. Both VLANs are in bridge group 1. In my testing it appears that the BVI interface REQUIRES an IP address to pass traffic, but which IP you pick seems irrelevant, so I’ve used 1.1.1.1/24 here. Finally we have our inside-in access-list allowing any to any and we’ve applied it to the inside interface inbound.

Hopefully this is beginning to make sense. Essentially, all PC1 traffic destined outside of its subnet will traverse the firewall. When PC1 initiates traffic outside of its subnet, it will ARP for its gateway, which will begin on VLAN 50, then be bridged through the firewall to VLAN 2050. The 3750 will reply on 2050 which will be sent back to 50. All L3 traffic should flow this way. I’ve tried to make a diagram to show the flow:

Let’s do some testing:

C:\Users\PC1>telnet 192.168.25.10 22
SSH-2.0-OpenSSH_5.2
Protocol mismatch.
Connection to host lost.
C:\Users\PC1>

Here we see that SSH is open from PC1 to Server.

Now let’s break that connectivity:

ASA(config)# access-list inside-in extended deny tcp any host 192.168.25.10 eq ssh
ASA(config)# no access-list inside-in extended permit ip any any
ASA(config)# access-list inside-in extended permit ip any any
 
ASA(config)# sh run access-list inside-in
access-list inside-in extended deny tcp any host 192.168.25.10 eq ssh
access-list inside-in extended permit ip any any

We added a deny statement for anything originating from the inside destined to TCP port 22 on Server and we allow everything else. We have verified that the ACL is correct.

Let’s test again:

C:\Users\PC1>telnet 192.168.25.10 22
Connecting To 192.168.25.10...Could not open connection to the host, on port 22: Connect failed
 
C:\Users\PC1>

The results are rather anti-climactic. The session just does not work.

It looks a bit more interesting on the ASA:

ASA# sh logg
%ASA-4-106023: Deny tcp src inside:192.168.50.100/49198 dst outside:192.168.25.10/22 by access-group "inside-in"
%ASA-4-106023: Deny tcp src inside:192.168.50.100/49198 dst outside:192.168.25.10/22 by access-group "inside-in"
%ASA-4-106023: Deny tcp src inside:192.168.50.100/49198 dst outside:192.168.25.10/22 by access-group "inside-in"

We see the session being denied on the ASA as expected.

That’s about it for this one. We can now run our transparent firewalls through an intermediate switch and we’re also able to run multiple VLANs through a transparent firewall without using up contexts. All we need to do to allow more VLANs to be firewalled is create the L2/L3 on the switch, add the VLANs to the trunks and configure the ASA with the appropriate SVIs and bridge groups (and ACLs). Hope this was useful.

Disclaimer: This is a very new feature to me. It’s working well in the lab, but please let me know if I have anything wrong or there is a better way to accomplish something.

Colby

Colby Glass has been in IT since 2002. He is currently a Systems Engineer (presales) with a Cisco Gold partner and holds the CCNP R/S, CCNP DC, CCDP, CCIP, JNCIA-ER.

More Posts