Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

ASA Transparent Mode Deployment Issue

 
  • Firewalling
11 REPLIES
VIP Green

ASA Transparent Mode Deployment Issue

Could you please be more specific as to what does not work.  How are you testing, from which IP to which IP is not working? Are you able to ping the switch from the ASA Firewall (not the transparent firewall)?

--
Please remember to rate and select a correct answer

-- Please remember to rate and select a correct answer
New Member

ASA Transparent Mode Deployment Issue

Case 1:

From management PC I can ping 10.10.10.10 & 10.10.10.11 but can not ping 10.10.10.1 or 10.10.20.1

Case 2:

Remove ips and directly connect the cable from the switch (gig0/8)to asa firewall (gig0/1) on top. Now I can ping 10.10.10.1 & 10.10.20.2 segment

VIP Green

ASA Transparent Mode Deployment Issue

Well seems you have found where the issue is yourself.  looks like there is a misconfiguration on the IPS.

--
Please remember to rate and select a correct answer

-- Please remember to rate and select a correct answer
New Member

Re: ASA Transparent Mode Deployment Issue

Could you please point me to the misconfiguration & how to resolve it?

Is the above setup supported?

VIP Green

Re: ASA Transparent Mode Deployment Issue

Well you have it set to fail-open so it is a little strange that it is not allowing traffic through.  You could post the IPS config here and we can have a look and see if we can spot anything out of the ordinary.  Otherwise, you might also want to  post a question in the IPS/IDS section of the support forum.

--
Please remember to rate and select a correct answer

-- Please remember to rate and select a correct answer
New Member

Re: ASA Transparent Mode Deployment Issue

IPS was set to fail open. I have tried this setup without any vlans and it seems to be working.

I strongly suspect multiple vlan in trnasparant mode will not work as ASA can not inspect vlan tagged packets. Correct me if I am wrong.

VIP Green

Re: ASA Transparent Mode Deployment Issue

Ok after a little research I think I have found a solution for you ( I am leaving out the policy map configs):

firewall transparent

hostname ASA-IPS

interface GigabitEthernet0/0.20

vlan 20

nameif Outside2

bridge-group 2

security-level 0

interface GigabitEthernet0/0.10

vlan 10

nameif Outside1

bridge-group 1

security-level 0

!

interface GigabitEthernet0/1.22

vlan 22

nameif Inside2

bridge-group 2

security-level 100

interface GigabitEthernet0/1.11

vlan 11

nameif Inside1

bridge-group 1

security-level 100

interface BVI1

ip address 10.10.10.10 255.255.255.0

interface BVI2

ip address 10.10.20.10 255.255.255.0

access-list inside_acl extended permit ip any any

access-list outside_acl extended permit ip any any

access-group outside_acl in interface Outside1

access-group inside_acl in interface Inside1

access-group outside_acl in interface Outside2

access-group inside_acl in interface Inside2

Also make sure that you amend the VLANs on the switch to correspond to the VLANs on the Transparent ASA.

--
Please remember to rate and select a correct answer

-- Please remember to rate and select a correct answer
New Member

Re: ASA Transparent Mode Deployment Issue

Thanks, I have tried this but not working.

But it means I need to create as many vlans & BVI's on ASA that exist in between?

VIP Green

Re: ASA Transparent Mode Deployment Issue

But it means I need to create as many vlans & BVI's on ASA that exist in between?

From my understanding, yes.

--
Please remember to rate and select a correct answer

-- Please remember to rate and select a correct answer
606
Views
10
Helpful
11
Replies