Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA in Transparent Mode


i ran into a problem when trying to install an ASA Security Appliance with AIP-SSM in transparent firewall mode.

Please see the both attachments network-with-asa.pdf and network-without-asa.pdf which will introduce you to the network.

The first picture you should have a look to is network-without-asa.pdf. In this case everythings work fine. All devices are able to connect to the network 10.19.64.x (right router) and to the internet (left router).

Now i plugged in the ASA in transparent firewall mode to sniffer all traffic to the internet (network-with-asa.pdf). I don't understand what now happens:

All devices can connect to the internet, all Ping messages to 10.19.64.x are O.K., but neither TCP nor UDP connections can be established. There is a permit ip any any access-list statement in ASA and the ASA has an IP address in the network 10.119.x.x.

I thought ASA in transparent firewall mode is just like a "stealth device".

BTW: ASA is connected to the correct VLAN on the Layer-3-Switch ;-)

Please see also this configuration of ASA:

ASA Version 7.2(1)


firewall transparent

hostname ciscoasa


enable password xxx



interface Ethernet0/0

nameif inside

security-level 100


interface Ethernet0/1

nameif outside

security-level 0


interface Ethernet0/2


no nameif

no security-level


interface Management0/0

nameif management

security-level 100

ip address



passwd xxx

ftp mode passive

dns server-group DefaultDNS


access-list 100 extended permit ip any any

access-list 100 extended permit icmp any any

access-list 101 extended permit ip any any

pager lines 24

logging console debugging

logging asdm informational

logging host management

mtu inside 1500

mtu outside 1500

mtu management 1500

ip address

icmp permit any inside

icmp permit any outside

icmp permit any management

asdm image disk0:/asdm521.bin

no asdm history enable

arp timeout 14400

access-group 100 in interface inside

access-group 100 in interface outside

route management

route management 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh management

ssh timeout 5

console timeout 0


class-map inspection_default

match default-inspection-traffic

class-map ips

match access-list 101



policy-map type inspect dns preset_dns_map


message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

class ips

ips promiscuous fail-open


service-policy global_policy global

prompt hostname context


: end


Can someone tell me what is happening here???

Thanks in advance!!




Re: ASA in Transparent Mode


What is the source/destination of the traffic that you are having an issue with? Your diagram doesn't make it clear if the traffic would even go through the ASA if destined for the 'right side' network.

New Member

Re: ASA in Transparent Mode


thanks for your answer :-)

The source network is the internal LAN (10.19.0.x/24) and the destination is a brnch office with IP network 10.19.64.x/24). The routing should be handled by the "left" Layer-3 Switch, which has a route to 10.19.64.x/24 over the "right" Layer-3 Switch. These two switches are connected with a trunk. IMHO the ASA should never see the traffic destined for this network, because the switch should route it over the trunk...



New Member

Re: ASA in Transparent Mode


problem is solved :-)

There is an HSRP configuration i didn't know about ;-)



New Member

Re: ASA in Transparent Mode


Would you pls let me know how to allow HSRP packet cross throug ASA?

My 2 ASAs are in A/A transparent mode.

Thanks a lot

CreatePlease login to create content