Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA in Transparent Mode

Hi,

i ran into a problem when trying to install an ASA Security Appliance with AIP-SSM in transparent firewall mode.

Please see the both attachments network-with-asa.pdf and network-without-asa.pdf which will introduce you to the network.

The first picture you should have a look to is network-without-asa.pdf. In this case everythings work fine. All devices are able to connect to the network 10.19.64.x (right router) and to the internet (left router).

Now i plugged in the ASA in transparent firewall mode to sniffer all traffic to the internet (network-with-asa.pdf). I don't understand what now happens:

All devices can connect to the internet, all Ping messages to 10.19.64.x are O.K., but neither TCP nor UDP connections can be established. There is a permit ip any any access-list statement in ASA and the ASA has an IP address in the network 10.119.x.x.

I thought ASA in transparent firewall mode is just like a "stealth device".

BTW: ASA is connected to the correct VLAN on the Layer-3-Switch ;-)

Please see also this configuration of ASA:

ASA Version 7.2(1)

!

firewall transparent

hostname ciscoasa

domain-name xxx.de

enable password xxx

names

!

interface Ethernet0/0

nameif inside

security-level 100

!

interface Ethernet0/1

nameif outside

security-level 0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

!

interface Management0/0

nameif management

security-level 100

ip address 10.19.10.1 255.255.248.0

management-only

!

passwd xxx

ftp mode passive

dns server-group DefaultDNS

domain-name xxx.de

access-list 100 extended permit ip any any

access-list 100 extended permit icmp any any

access-list 101 extended permit ip any any

pager lines 24

logging console debugging

logging asdm informational

logging host management 10.19.10.3

mtu inside 1500

mtu outside 1500

mtu management 1500

ip address 10.119.128.10 255.255.255.0

icmp permit any inside

icmp permit any outside

icmp permit any management

asdm image disk0:/asdm521.bin

no asdm history enable

arp timeout 14400

access-group 100 in interface inside

access-group 100 in interface outside

route management 10.19.8.0 255.255.248.0

route management 0.0.0.0 0.0.0.0 10.119.128.250 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 10.19.0.0 255.255.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh 10.19.0.0 255.255.0.0 management

ssh timeout 5

console timeout 0

!

class-map inspection_default

match default-inspection-traffic

class-map ips

match access-list 101

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

class ips

ips promiscuous fail-open

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:xxx

: end

ciscoasa#

Can someone tell me what is happening here???

Thanks in advance!!

Regards

Bernd

4 REPLIES
Bronze

Re: ASA in Transparent Mode

Hello,

What is the source/destination of the traffic that you are having an issue with? Your diagram doesn't make it clear if the traffic would even go through the ASA if destined for the 'right side' network.

New Member

Re: ASA in Transparent Mode

Hi,

thanks for your answer :-)

The source network is the internal LAN (10.19.0.x/24) and the destination is a brnch office with IP network 10.19.64.x/24). The routing should be handled by the "left" Layer-3 Switch, which has a route to 10.19.64.x/24 over the "right" Layer-3 Switch. These two switches are connected with a trunk. IMHO the ASA should never see the traffic destined for this network, because the switch should route it over the trunk...

Regards

Bernd

New Member

Re: ASA in Transparent Mode

Hi,

problem is solved :-)

There is an HSRP configuration i didn't know about ;-)

Regards

Bernd

New Member

Re: ASA in Transparent Mode

Hi,Bprobst

Would you pls let me know how to allow HSRP packet cross throug ASA?

My 2 ASAs are in A/A transparent mode.

Thanks a lot

271
Views
0
Helpful
4
Replies
CreatePlease login to create content