Configuring ASA5550 in Transparent to pass Blue Coat Traffic

Unanswered Question
Mar 10th, 2010

I am trying to add a Cisco ASA 5550 running in Transparent mode between the outside router and the Blue Coat.  The Blue Coat is also running in pass thru mode.  When ever I add the ASA, traffic stops flowing.  I have the inside interface set going to the WAN interface on the Blue Coat and the outside interface set going to the router.  I captured some log information from the ASA while connected for a few minutes.  We are using NAT on the router so the 10.0.0.3 address you see is to the Blue Coat if that helps.  Any help is appreciated.

Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Federico Coto F... Wed, 03/10/2010 - 09:38

Hi,


If you have the ASA configured in transparent mode, you need to configure ACLs to specify the traffic that you wish to permit through the ASA.


Do you have those ACLs in place and properly configured?


Federico.

Kureli Sankar Wed, 03/10/2010 - 19:45

Looking at the logs, it appears that the Blue Coat is going out to the internet via a diff. path besides the ASA and the response traffic from the internet is coming to the outside interface of the router and the ASA is dropping these packets.


Is this the topology?


B.Coat(10.0.0.3)-----(inside)TFW(ASA)(outside)---Router ---Internet


http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html#wp4768860


-KS

gdrandles Thu, 03/11/2010 - 02:36

The topology is from botom (inside network) to Internet (outside):


Cisco 3750 switch Fa 1/0/24 (out) --> (in) Blue Coat LAN ---> (out) Blue Coat WAN --> (in) ASA 5550 Gig 0/0 (nameif inside) --> (out) ASA 5550 Gig 1/0 (nameif outside) --> (in) Cisco 3845 Fa 0/0 --> (out) Cisco 3845 Fa 0/1 --> RF Modem --> ISP

gdrandles Thu, 03/11/2010 - 02:32

I do not currently have any additional ACL's in place other than the defaults when

you create the inside/outside interfaces.  I wouldn't know where to start as security is new to me.  I am

primarily a L2 implementor.

Kureli Sankar Thu, 03/11/2010 - 06:40

Best thing to do is captures on the ASA to make sure the requests and the response go through the ASA.


What code is the ASA running if it is running 7.2.4 or above you can use the match command in the capture lines.


cap capin int inside match ip any ho 10.0.0.3

cap capout int outside match ip any ho 10.0.0.3


This will collect bi-directional captures and you can do


sh cap capin

sh cap capout


If you do not run a code that support the match keyword then use this link to collect catpures: https://supportforums.cisco.com/docs/DOC-1222;jsessionid=A11197443F5D79D04565C4331EFA5806.node0


and make sure the syn is seen on the inside and it leaves the outside interface towards the internet and the syn ack arrives on the outside interface destined to this 10.0.0.3 host.


-KS

Actions

This Discussion