04-19-2012 04:58 AM - edited 03-11-2019 03:55 PM
Hello,
I m trying to set my friewall in my network.
The network is very simple.
I have my router in 192.168.16.1 255.255.255.0 (mac-address 58-98-35-2a-4c-39)
I have my switch in 192.168.16.26 255.255.255.0 (mac-address 00-19-99-5d-1f-43)
and i have my firewall ASA between the router and the switch in 192.168.16.250 255.255.255.0 (mac-address 64-9e-f3-ba-28-c9)
So i need to configure 3 interface in my ASA.
- OUTSIE e0/0(I call it INTERNET)
- INSIDE e0/1(I call it LAN)
- MANGEMENT m0/0(I call it MANAGEMENT)
The interface management is well configured. I enabled http access and i can access to my ASDM inteface form all my network
interface Management0/0
nameif MANAGEMENT
security-level 0
ip address 192.168.16.250 255.255.255.0
management-only
!
Now I would like to plug my firewall in the network.
My router in e0/0(INTERNET) and my swtich in e0/1(LAN)
I understood that in transparent mode I have to config interface INTERNET and LAN with mac-address.(asa 5510)
So i did as follow.
interface Ethernet0/0
mac-address 5898.352a.4c39
nameif INTERNET
security-level 0
!
interface Ethernet0/1
mac-address 0019.995d.1f43
nameif LAN
security-level 100
!
But with this config when I plug the firewall, i dont have access to internet anymore.
What I did wrong?
Regards,
Solved! Go to Solution.
04-20-2012 10:58 PM
Hello Jean,
Of couse you are missing something.....
You do NOT have an ip address assigned to your ASA..
Now you are running 8.4 so as one of my colleagues one said:
In version 8.4(2) or prior versions, the ASA uses the concept of bridge-groups in transparent mode. Therefore, you need to add the interfaces to a bridge-group and then configure the IP address under the BVI. See here for a config example:
Regards,
Do rate all the helpful posts
Julio
04-19-2012 05:33 AM
Hi Jean-Francois,
You dont need the mac-address command in the interface configuration, once you plug in the device, it would learn the arp entries itself.
Moreover can you share the complete configuration and also try taking captures to check where the packets are getting dropped:
https://supportforums.cisco.com/docs/DOC-17814
Thanks,
Varun
04-19-2012 05:41 AM
Thanks you, I will try taking captures.
See me configuration bellow.
: Saved
: Written by enable_15 at 14:14:51.684 GMT Thu Apr 19 2012
!
ASA Version 8.4(3)
!
firewall transparent
hostname ciscoasa
domain-name ekonlogistics.com
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
mac-address 5898.352a.4c39
nameif INTERNET
security-level 0
!
interface Ethernet0/1
mac-address 0019.995d.1f43
nameif LAN
security-level 100
!
interface Ethernet0/2
shutdown
no nameif
no security-level
!
interface Ethernet0/3
shutdown
no nameif
no security-level
!
interface Management0/0
nameif MANAGEMENT
security-level 0
ip address 192.168.16.250 255.255.255.0
management-only
!
ftp mode passive
clock timezone GMT 0
dns server-group DefaultDNS
domain-name ekonlogistics.com
same-security-traffic permit inter-interface
pager lines 24
logging enable
logging asdm informational
mtu MANAGEMENT 1500
mtu INTERNET 1500
mtu LAN 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.16.250 255.255.255.255 MANAGEMENT
http 192.168.16.0 255.255.255.0 MANAGEMENT
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class class-default
user-statistics accounting
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous prompt 2
Cryptochecksum:542cefd98a5a8178cf5ed8e623ea25c8
04-20-2012 05:39 AM
Hi again,
Here my new configration without the mac-address. But internet still doesnt work when I plug the firewall.
I tried to make a capture but I didnt notice anything....
: Saved
:
ASA Version 8.4(3)
!
firewall transparent
hostname ciscoasa
domain-name ekonlogistics.com
enable password 8Ry2YjIyt7RRXU24 encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface Ethernet0/0
nameif INTERNET
security-level 0
!
interface Ethernet0/1
nameif LAN
security-level 100
!
interface Ethernet0/2
shutdown
no nameif
no security-level
!
interface Ethernet0/3
shutdown
no nameif
no security-level
!
interface Management0/0
nameif MANAGEMENT
security-level 0
ip address 192.168.16.250 255.255.255.0
management-only
!
ftp mode passive
clock timezone GMT 0
dns server-group DefaultDNS
domain-name ekonlogistics.com
same-security-traffic permit inter-interface
pager lines 24
logging enable
logging asdm informational
mtu MANAGEMENT 1500
mtu INTERNET 1500
mtu LAN 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
http server enable
http 192.168.16.250 255.255.255.255 MANAGEMENT
http 192.168.16.0 255.255.255.0 MANAGEMENT
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics host
threat-detection statistics port
threat-detection statistics protocol
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class class-default
user-statistics accounting
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous prompt 2
Cryptochecksum:c0b657c6c31a3a804b93ce8342a96d91
: end
04-20-2012 08:09 AM
If no packets are hitting the ASA, then nothing is reaching the firewall, which means you might need to go hop by hop and check other devices as well, check arp on all devices, if needed reload the switches and the ASA so that arp cache is cleared and table created again. Check the VLAN config as well.
Thanks,
Varun
04-20-2012 08:49 AM
Well in fact, at the moment i have my router in 192.168.16.1 and one PC in DHCP.
When I plug the PC to my router it works fine.
Now when i plug the firewall between the PC and the router, it doesnt work. PC doesnt get its IP address so It gets 169.254.12.129 255.255.0.0. I cant ping my router anymore from my PC.
As you can see in my configration only the minimum is configured and firewall is in transparent mode...so it should be work? Normally As you said me, i have no mac address to set if it's automatic.
And i have no VLAN, only this 3 inteface( LAN, INTERNET and MANGEMENT)
So there is maybe one thing i miss to set in this basic configuration?
Thanks for you help.
04-20-2012 10:58 PM
Hello Jean,
Of couse you are missing something.....
You do NOT have an ip address assigned to your ASA..
Now you are running 8.4 so as one of my colleagues one said:
In version 8.4(2) or prior versions, the ASA uses the concept of bridge-groups in transparent mode. Therefore, you need to add the interfaces to a bridge-group and then configure the IP address under the BVI. See here for a config example:
Regards,
Do rate all the helpful posts
Julio
04-23-2012 05:05 AM
Hello jcarvaja.
Thanks you that was my problem.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: