Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
880
Views
0
Helpful
5
Replies

Configuring ASA5550 in Transparent to pass Blue Coat Traffic

gdrandles
Level 1
Level 1

‎03-10-2010 05:10 AM - edited ‎03-11-2019 10:19 AM

I am trying to add a Cisco ASA 5550 running in Transparent mode between the outside router and the Blue Coat.  The Blue Coat is also running in pass thru mode.  When ever I add the ASA, traffic stops flowing.  I have the inside interface set going to the WAN interface on the Blue Coat and the outside interface set going to the router.  I captured some log information from the ASA while connected for a few minutes.  We are using NAT on the router so the 10.0.0.3 address you see is to the Blue Coat if that helps.  Any help is appreciated.

Labels:
62000-asalog.txt.zip
0 Helpful
5 Replies 5

Federico Coto Fajardo
VIP Alumni
VIP Alumni

‎03-10-2010 09:38 AM

Hi,

If you have the ASA configured in transparent mode, you need to configure ACLs to specify the traffic that you wish to permit through the ASA.

Do you have those ACLs in place and properly configured?

Federico.

0 Helpful

Kureli Sankar
Cisco Employee
Cisco Employee
In response to Federico Coto Fajardo

‎03-10-2010 07:45 PM

Looking at the logs, it appears that the Blue Coat is going out to the internet via a diff. path besides the ASA and the response traffic from the internet is coming to the outside interface of the router and the ASA is dropping these packets.

Is this the topology?

B.Coat(10.0.0.3)-----(inside)TFW(ASA)(outside)---Router ---Internet

http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html#wp4768860

-KS

0 Helpful

gdrandles
Level 1
Level 1
In response to Kureli Sankar

‎03-11-2010 02:36 AM

The topology is from botom (inside network) to Internet (outside):

Cisco 3750 switch Fa 1/0/24 (out) --> (in) Blue Coat LAN ---> (out) Blue Coat WAN --> (in) ASA 5550 Gig 0/0 (nameif inside) --> (out) ASA 5550 Gig 1/0 (nameif outside) --> (in) Cisco 3845 Fa 0/0 --> (out) Cisco 3845 Fa 0/1 --> RF Modem --> ISP

0 Helpful

gdrandles
Level 1
Level 1
In response to Federico Coto Fajardo

‎03-11-2010 02:32 AM

I do not currently have any additional ACL's in place other than the defaults when

you create the inside/outside interfaces.  I wouldn't know where to start as security is new to me.  I am

primarily a L2 implementor.

0 Helpful

Kureli Sankar
Cisco Employee
Cisco Employee
In response to gdrandles

‎03-11-2010 06:40 AM

Best thing to do is captures on the ASA to make sure the requests and the response go through the ASA.

What code is the ASA running if it is running 7.2.4 or above you can use the match command in the capture lines.

cap capin int inside match ip any ho 10.0.0.3

cap capout int outside match ip any ho 10.0.0.3

This will collect bi-directional captures and you can do

sh cap capin

sh cap capout

If you do not run a code that support the match keyword then use this link to collect catpures: https://supportforums.cisco.com/docs/DOC-1222;jsessionid=A11197443F5D79D04565C4331EFA5806.node0

and make sure the syn is seen on the inside and it leaves the outside interface towards the internet and the syn ack arrives on the outside interface destined to this 10.0.0.3 host.

-KS

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card