10-16-2013 01:07 PM - edited 03-11-2019 07:53 PM
Hi all - hope this is the right place to ask this question-
I'm having trouble understanding how to configure an ASA 5512X in what should be a really easy way -
I simply want the ASA to be a transparent Layer 2 "bump" in a routed link between two networks, and then I'll use the Management interface to actually see the firewall ASDM,Syslog, configure, etc.
I have the interfaces set up thusly:
interface GigabitEthernet0/0
nameif UnTrustedNetwork
security-level 0
interface GigabitEthernet0/1
nameif TrustedNetwork
security-level 100
interface Management0/0
nameif ManagementAccess
security-level 100
ip address 192.168.X.Y 255.255.255.0
management-only
I cannot figure out how to install a default route so that interface Management0/0 with it's IP of 192.168.X.Y can be reached from
other networks, like 10.6.X.Y, etc.
I thought the point of a Management interface was that you could set things up in such a way that the Management interface
was the only way you could access the firewall, and you did not have to have IP addresses on the Gig interfaces,
(at least not in transparent mode, for NAT you obviously would have to)
I tried to add a static route entry to 10.6.X.Y , but
when I typed "route.." my only available destination interfaces were either TrustedNetwork or UnTrustedNetwork ??
How do I configure the Management interface for non-local subnets to be reachable on the firewall in transparent mode?
Solved! Go to Solution.
10-16-2013 07:17 PM
transparent firewall is configured differently from routed mode.
here's a basic config required:
firewall transparent (erases the current config; does not require a reboot)
!
interface BVI1
ip address 192.168.10.10 255.255.255.0
!
interface GigabitEthernet0
nameif outside
bridge-group 1
security-level 0
!
interface GigabitEthernet1
nameif inside
bridge-group 1
security-level 100
!
route outside 0.0.0.0 0.0.0.0 192.168.10.254
route inside 10.0.0.0 255.0.0.0 192.168.10.100
I think that you need a BVI interface with an IP address before the ASA starts forwarding traffic
The old syntax (pre 8.3 or 8.2 not sure) forces only 2 interfaces and no BVI was configured... the IP was assigned in global config.
Hope that helps,
Patrick
10-16-2013 07:17 PM
transparent firewall is configured differently from routed mode.
here's a basic config required:
firewall transparent (erases the current config; does not require a reboot)
!
interface BVI1
ip address 192.168.10.10 255.255.255.0
!
interface GigabitEthernet0
nameif outside
bridge-group 1
security-level 0
!
interface GigabitEthernet1
nameif inside
bridge-group 1
security-level 100
!
route outside 0.0.0.0 0.0.0.0 192.168.10.254
route inside 10.0.0.0 255.0.0.0 192.168.10.100
I think that you need a BVI interface with an IP address before the ASA starts forwarding traffic
The old syntax (pre 8.3 or 8.2 not sure) forces only 2 interfaces and no BVI was configured... the IP was assigned in global config.
Hope that helps,
Patrick
10-17-2013 09:16 AM
Thanks Patrick!
I did that -
I will test it.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: