Basic Config Transparent mode ASA 5510

Answered Question
Apr 19th, 2012

Hello,

I m trying to set my friewall in my network.

The network is very simple.

I have my router in 192.168.16.1 255.255.255.0 (mac-address  58-98-35-2a-4c-39)

I have my switch in 192.168.16.26 255.255.255.0 (mac-address 00-19-99-5d-1f-43)

and i have my firewall ASA between the router and the switch in 192.168.16.250 255.255.255.0 (mac-address 64-9e-f3-ba-28-c9)

So i need to configure 3 interface in my ASA.

- OUTSIE e0/0(I call it INTERNET)

- INSIDE e0/1(I call it LAN)

- MANGEMENT m0/0(I call it MANAGEMENT)

The interface management is well configured. I enabled http access and i can access to my ASDM inteface form all my network

interface Management0/0

nameif MANAGEMENT

security-level 0

ip address 192.168.16.250 255.255.255.0

management-only

!

Now I would like to plug my firewall in the network.

My router in e0/0(INTERNET) and my swtich in e0/1(LAN)

I understood that in transparent mode I have to config interface INTERNET and LAN with mac-address.(asa 5510)

So i did as follow.

interface Ethernet0/0

mac-address 5898.352a.4c39

nameif INTERNET

security-level 0

!

interface Ethernet0/1

mac-address 0019.995d.1f43

nameif LAN

security-level 100

!

But with this config when I plug the firewall, i dont have access to internet anymore.

What I did wrong?

Regards,

I have this problem too.
0 votes
Correct Answer by Julio Carvaja about 1 year 12 months ago

Hello Jean,

Of couse you are missing something.....

You do NOT have an ip address assigned to your ASA..

Now you are running 8.4 so as one of my colleagues one said:

In version 8.4(2) or prior versions, the ASA uses the concept of bridge-groups in transparent mode. Therefore, you need to add the interfaces to a bridge-group and then configure the IP address under the BVI. See here for a config example:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/interface_complete_transparent.html#wp1321042

Regards,

Do rate all the helpful posts

Julio

  • 1
  • 2
  • 3
  • 4
  • 5
Average Rating: 5 (1 ratings)
varrao Thu, 04/19/2012 - 05:33

Hi Jean-Francois,

You dont need the mac-address command in the interface configuration, once you plug in the device, it would learn the arp entries itself.

Moreover can you share the complete configuration and also try taking captures to check where the packets are getting dropped:

https://supportforums.cisco.com/docs/DOC-17814

Thanks,

Varun

EIKONLOGISTICS Thu, 04/19/2012 - 05:41

Thanks you, I will try taking captures.

See me configuration bellow.

: Saved

: Written by enable_15 at 14:14:51.684 GMT Thu Apr 19 2012

!

ASA Version 8.4(3)

!

firewall transparent

hostname ciscoasa

domain-name ekonlogistics.com

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

mac-address 5898.352a.4c39

nameif INTERNET

security-level 0

!

interface Ethernet0/1

mac-address 0019.995d.1f43

nameif LAN

security-level 100

!

interface Ethernet0/2

shutdown

no nameif

no security-level

!

interface Ethernet0/3

shutdown

no nameif

no security-level

!

interface Management0/0

nameif MANAGEMENT

security-level 0

ip address 192.168.16.250 255.255.255.0

management-only

!

ftp mode passive

clock timezone GMT 0

dns server-group DefaultDNS

domain-name ekonlogistics.com

same-security-traffic permit inter-interface

pager lines 24

logging enable

logging asdm informational

mtu MANAGEMENT 1500

mtu INTERNET 1500

mtu LAN 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.16.250 255.255.255.255 MANAGEMENT

http 192.168.16.0 255.255.255.0 MANAGEMENT

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

class class-default

  user-statistics accounting

!

service-policy global_policy global

prompt hostname context

call-home reporting anonymous prompt 2

Cryptochecksum:542cefd98a5a8178cf5ed8e623ea25c8

EIKONLOGISTICS Fri, 04/20/2012 - 05:39

Hi again,

Here my new configration without the mac-address. But internet still doesnt work when I plug the firewall.

I tried to make a capture but I didnt notice anything....

: Saved

:

ASA Version 8.4(3)

!

firewall transparent

hostname ciscoasa

domain-name ekonlogistics.com

enable password 8Ry2YjIyt7RRXU24 encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

nameif INTERNET

security-level 0

!

interface Ethernet0/1

nameif LAN

security-level 100

!

interface Ethernet0/2

shutdown

no nameif

no security-level

!

interface Ethernet0/3

shutdown

no nameif

no security-level

!

interface Management0/0

nameif MANAGEMENT

security-level 0

ip address 192.168.16.250 255.255.255.0

management-only

!

ftp mode passive

clock timezone GMT 0

dns server-group DefaultDNS

domain-name ekonlogistics.com

same-security-traffic permit inter-interface

pager lines 24

logging enable

logging asdm informational

mtu MANAGEMENT 1500

mtu INTERNET 1500

mtu LAN 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

http server enable

http 192.168.16.250 255.255.255.255 MANAGEMENT

http 192.168.16.0 255.255.255.0 MANAGEMENT

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics host

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

class class-default

  user-statistics accounting

!

service-policy global_policy global

prompt hostname context

call-home reporting anonymous prompt 2

Cryptochecksum:c0b657c6c31a3a804b93ce8342a96d91

: end

varrao Fri, 04/20/2012 - 08:09

If no packets are hitting the ASA, then nothing is reaching the firewall, which means you might need to go hop by hop and check other devices as well, check arp on all devices, if needed reload the switches and the ASA so that arp cache is cleared and table created again. Check the VLAN config as well.

Thanks,

Varun

EIKONLOGISTICS Fri, 04/20/2012 - 08:49

Well in fact, at the moment i have my router in 192.168.16.1 and one PC in DHCP.

When I plug the PC to my router it works fine.

Now when i plug the firewall between the PC and the router, it doesnt work. PC doesnt get its IP address so It gets 169.254.12.129 255.255.0.0. I cant ping my router anymore from my PC.

As you can see in my configration only the minimum is configured and firewall is in transparent mode...so it should be work? Normally As you said me, i have no mac address to set if it's automatic.

And i have no VLAN, only this 3 inteface( LAN, INTERNET and MANGEMENT)

So there is maybe one thing i miss to set in this basic configuration?

Thanks for you help.

Correct Answer
Julio Carvaja Fri, 04/20/2012 - 22:58

Hello Jean,

Of couse you are missing something.....

You do NOT have an ip address assigned to your ASA..

Now you are running 8.4 so as one of my colleagues one said:

In version 8.4(2) or prior versions, the ASA uses the concept of bridge-groups in transparent mode. Therefore, you need to add the interfaces to a bridge-group and then configure the IP address under the BVI. See here for a config example:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/interface_complete_transparent.html#wp1321042

Regards,

Do rate all the helpful posts

Julio

Actions

Login or Register to take actions

This Discussion

Posted April 19, 2012 at 4:58 AM
Stats:
Replies:7 Avg. Rating:5
Views:2389 Votes:0
Shares:0
Tags: No tags.

Discussions Leaderboard

Rank Username Points
1 7,861
2 6,140
3 3,170
4 1,473
5 1,446