Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

install transparent asa into existing network with public ip's

  Hi all, I'm trying to find the best approach on getting my ASA to replace our Juniper, we have public ip's from our isp and it's set to nat the gateway and mip the inside ip's to outside public ip's.

  I tried hooking up the asa into the leased router, added my inside rules to be accessed outside but not able to get to the web or ping, I read that nat is not needed on the ASA in transparent mode though it's possible, but in my setup with our isp I may need to use nat or could I go away with it, what would be my best option to get this setup, any samples or links would be great.

Thanks,

Carlo

1 ACCEPTED SOLUTION

Accepted Solutions

Re: install transparent asa into existing network with public ip

Hello,

The route is used for :

  • AAA traffic
  • Syslog
  • Management access
  • If the ASA needs to send a packet to a destination that is not on it's same network it will need to send an ICMP packet in order to get the the MAC address table populated (with the Default-Gateway MAC address)

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
35 REPLIES
Silver

install transparent asa into existing network with public ip's

What version are you using on the ASA?

Do you know how transparent firewall works?

What is the function that the juniper takes in your network?

FYI: It would be best to address this wih a design team

Value our effort and rate the assistance!
New Member

install transparent asa into existing network with public ip's

What version are you using on the ASA?

   It's got asa 9.1

Do you know how transparent firewall works?

Yes but I'm pretty novice at networking since I take on a few things besides networking at my work, I set it up about 5yrs ago and kinda out of practice now, the difference with this and juniper, the juniper's trust and untrust int has different ip's, the untrust has our public ip and trust has internal and nat'd, where the asa has one ip for the inside and outside, but the same bump in the wire right.

What is the function that the juniper takes in your network?

  The Juniper ns25 is in transparent mode(interestingly I looked at the juniper's trust and untrust it shows it's a layer3 as where from what I read about the asa in transparent mode is a layer2)

  I found this article here that could be similar to my scenario and I need to read up on it, I think nat needs to be setup similar to the juniper over to the asa to map the outside public ip to internal ip of our gateway, there was a converter I found here but it wouldn't take my juniper config, worst comes to worst I'll open a tac ticket to see if they can convert the juniper to asa, I'm just avoiding having to redo my internal ip's -

https://supportforums.cisco.com/docs/DOC-31116

Silver

install transparent asa into existing network with public ip's

Silver

install transparent asa into existing network with public ip's

FYI: TAC does not have a tool to convert from Juniper firewall to Cisco ASA.

Value our effort and rate the assistance!
New Member

install transparent asa into existing network with public ip's

Thanks for the link and Tac info, I'm reading up on the transparent nat setup.

New Member

install transparent asa into existing network with public ip's

Hi, so I read the docs, now my question, on our old firewall the gateway we used was the one set on the nat'd trust int, and the public ip gateway of the router is untrust, so on the asa I just create a static nat for the public gateway nat'd to an internal ip that can be used as the gateway -

nat (inside,outside) static mygateway, then we could still use the old gateway we always had right?

install transparent asa into existing network with public ip's

Hello,

I am not sure about your last question but let's give it a try

Is the firewall going to run on transparent or Routed mode?

If it's on transparent then you will need to assign an IP address to the ASA for management purposes but the IP subnet between the inside users and the untrust gateway should be the same.

That being said if you want the ASA to run on L3 mode (splitting the broadcast-domain) then you just need to set a default route on the ASA poiting to the untrust gateway (Outside Modem) and on the inside PCs the ASA as the default gateway.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

install transparent asa into existing network with public ip's

Hi Julio thanks for replying, the asa5510 is already set for transparent mode, with management int set, I had it set in a lab for testing, but its when I tested on the actual connection from isp, it wasn't allowing ping or web, so I may just need to add a route, I thought I read somewhere that transparent mode doesn't support routing, I'll give it a try, thanks

install transparent asa into existing network with public ip's

Sure,

It does need a route for special Purposes (Managment, Syslog, AAA, To know where to forward packets where it does not have a valid MAC address entry)

So add it pointing to the Outside gateway (Remember inside and outside interface must be on the same subnet.

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

install transparent asa into existing network with public ip's

Julio, yes the inside and outside are in a bvi group with internal ip and same subnet.

New Member

install transparent asa into existing network with public ip's

Julio I think your right on the route setting, it's been a while since I configured the juniper, I looked at the juniper route setting, the outside ip routes to our internal network.

New Member

install transparent asa into existing network with public ip's

"That being said if you want the ASA to run on L3 mode (splitting the broadcast-domain) then you just need to set a default route on the ASA poiting to the untrust gateway (Outside Modem) and on the inside PCs the ASA as the default gateway."

You mentioned that the asa will be our gateway, our current firewall is also our gateway(trust/management port is 208.x.x.1), but on the asa the only ip is the bvi 208.x.x.11, right now on the asa I'm using 208.x.x.1 as a object network host nat'd with the isp's router ip, should I use 208.x.x.11 as the gateway, maybe that's what I'm missing.

install transparent asa into existing network with public ip's

Hello,

If u read at my post carefully it says on L3 mode..... but you are running it on Transparent mode! so the ASA cannot be a l3 device or a DG. No way that can happen buddy!

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

install transparent asa into existing network with public ip's

Gotcha man, so it sounds like we can't put the asa in trasparent mode as a direct replacement, I would have to go route mode. And redo all our internal ip's

Silver

install transparent asa into existing network with public ip's

Sorry I did not get the concept, maybe if you could explain this a bit better.

Value our effort and rate the assistance!
New Member

install transparent asa into existing network with public ip's

Jumora, here's a sample setup -

old firewall (untrust = 12.1.1.1) ip of leased router (this was the outside ip gateway I think I can't see in the router since it's not managed by us, but it's nat'd to our internal gateway ip) >(trust = 101.2.2.2) this is our internal gateway ip

that's the current setting in the juniper

so on the asa, the new config for nat would be

nat (inside,outside) static mygateway - then we can still use 101.2.2.2 as gateway, I think this is what I'm missing to get an open connection to the outside.

Silver

install transparent asa into existing network with public ip's

I get you, yeah NAT, go for it so that the upstream router can add it to the ARP table. Also add the routes that Julio mentioned for routing.

Value our effort and rate the assistance!
New Member

Re: install transparent asa into existing network with public ip

Hi guys, so I went and put my route to outside pointing to my isp's router gateway as well as nat, but somehow I can't ping, here's my edited run-config. Let me know what I'm missing, thanks.

Silver

Re: install transparent asa into existing network with public ip

Give me logs I need to see logs to see what is the ASA indicating.

Value our effort and rate the assistance!
New Member

Re: install transparent asa into existing network with public ip

here's my sh logging output, can't get the whole log to show in putty, but these are focused on the bvi int, it seems to show a bunch of errors or teardowns that I also see when looking at asdm latest syslog message. I added a simple network topology diagram. Any help would be great

New Member

Re: install transparent asa into existing network with public ip

We're you able to look into my logs, is there any other way to see what's happening in the traffic inside the asa besides logs.

Silver

Re: install transparent asa into existing network with public ip

What address where you trying to reach??

Value our effort and rate the assistance!
New Member

Re: install transparent asa into existing network with public ip

I'm trying to get traffic to go through the asa, inside to outside, here's what my juniper's route config looks like compared to the asa, I know it's something with route cause as soon as I plugged the asa to the isp's router which is a outside public ip it stopped letting traffic through, I added a route from some config samples I've read around the forum that I thought would work just by changing the ip's but no avail, hopefully these configs will tell you something missing on the asa.

ASA

interface Ethernet0/0

nameif outside

bridge-group 1

security-level 0

!

interface Ethernet0/1

nameif inside

bridge-group 1

security-level 100

!

interface Ethernet0/2

shutdown

no nameif

no security-level

!

interface Ethernet0/3

shutdown

no nameif

no security-level

!

interface Management0/0

management-only

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface BVI1

ip address 208.x.x.11 255.255.255.0

!

boot system disk0:/asa912-8-k8.bin

ftp mode passive

clock timezone PST -8

clock summer-time PDT recurring

dns domain-lookup inside

dns server-group DefaultDNS

name-server 208.x.x.12

domain-name domain.com

object network cirexxintl

host 208.x.x.85

object network cirexxintldc

host 208.x.x.12

object network crxmail

host 208.x.x.3

object network att

host 12.x.x.33

object network int-gateway

host 208.x.x.1

object-group protocol TCP_UDP

description Grouping of TCP and UDP protocols

protocol-object tcp

protocol-object udp

object-group service All-service

service-object gre

service-object icmp echo

service-object tcp destination eq www

service-object udp destination eq domain

service-object tcp destination eq https

service-object tcp destination eq pop3

service-object tcp destination eq smtp

service-object tcp destination eq domain

object-group network internal-servers

network-object object cirexxintl

network-object object cirexxintldc

network-object object crxmail

access-list inside_access_out extended permit object-group All-service object-group internal-servers any

access-list inside_access_out extended permit object-group TCP_UDP object-group internal-servers any

pager lines 24

arp timeout 14400

no arp permit-nonconnected

access-group inside_access_out out interface inside

object network int-gateway

nat (inside,outside) static att

route outside 0.0.0.0 0.0.0.0 12.x.x.33 1

Juniper

ns25-> get route

IPv4 Dest-Routes for (0 entries)

--------------------------------------------------------------------------------

H: Host C: Connected S: Static A: Auto-Exported

I: Imported R: RIP P: Permanent D: Auto-Discovered

iB: IBGP eB: EBGP O: OSPF E1: OSPF external type 1

E2: OSPF external type 2

IPv4 Dest-Routes for (4 entries)

--------------------------------------------------------------------------------

ID IP-Prefix Interface Gateway P Pref Mtr Vsys

--------------------------------------------------------------------------------

* 1 208.x.x.0/24 eth1 0.0.0.0 C 0 0 Root

* 4 12.x.x.34/32 eth3 0.0.0.0 H 0 0 Root

* 3 12.x.x.32/27 eth3 0.0.0.0 C 0 0 Root

* 2 208.x.x.1/32 eth1 0.0.0.0 H 0 0 Root

ns25-> get route source

S: Static P: Permanent

Src-Routes for (1 entries)

--------------------------------------------------------------------------------

ID IP-Prefix Interface Gateway P Pref Mtr Vsys

--------------------------------------------------------------------------------

* 1 208.x.x.0/24 eth3 12.x.x.33 S 20 1 Root

Silver

Re: install transparent asa into existing network with public ip

arp permit-nonconnected

Value our effort and rate the assistance!
Silver

Re: install transparent asa into existing network with public ip

Why this route?

route outside 0.0.0.0 0.0.0.0 12.x.x.33 1

If you BVI has an IP of

interface BVI1

ip address 208.x.x.11 255.255.255.0

Value our effort and rate the assistance!
New Member

Re: install transparent asa into existing network with public ip

it worked when I had it set in the lab inside my internal network when all the ip's were the same, but as soon as I plugged it on the actual isp router it stopped working, that's why I was looking at either routing or nat, I read your supposed to set route if you have an external ip like for example a modem or router and point to your outside int facing the router, One thing I noticed when I connect to the router, under monitoring and then routing, it shows the connected outside route for the isp, still can't ping or browse though.

Re: install transparent asa into existing network with public ip

Hello,

Can you provide us the updated config ,

I will take a look at it as soon as you do it

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
New Member

install transparent asa into existing network with public ip's

Here you go,

crxasa# sh run

: Saved

:

ASA Version 9.1(2)8

!

firewall transparent

hostname crxasa

domain-name domain.com

enable password jtiwndTuzIDdTcxA encrypted

names

!

interface Ethernet0/0

nameif outside

bridge-group 1

security-level 0

!

interface Ethernet0/1

nameif inside

bridge-group 1

security-level 100

!

interface Ethernet0/2

shutdown

no nameif

no security-level

!

interface Ethernet0/3

shutdown

no nameif

no security-level

!

interface Management0/0

management-only

nameif management

security-level 100

ip address 192.168.1.1 255.255.255.0

!

interface BVI1

ip address 208.x.x.11 255.255.255.0

!

boot system disk0:/asa912-8-k8.bin

ftp mode passive

clock timezone PST -8

clock summer-time PDT recurring

dns domain-lookup inside

dns server-group DefaultDNS

name-server 208.x.x.12

domain-name domain.com

object network cirexxintl

host 208.x.x.85

object network cirexxintldc

host 208.x.x.12

object network crxmail

host 208.x.x.3

object network gateway

host 12.x.x.34

object-group protocol TCP_UDP

description Grouping of TCP and UDP protocols

protocol-object tcp

protocol-object udp

object-group service All-service

service-object gre

service-object icmp echo

service-object tcp destination eq www

service-object udp destination eq domain

service-object tcp destination eq https

service-object tcp destination eq pop3

service-object tcp destination eq smtp

service-object tcp destination eq domain

object-group network internal-servers

network-object object cirexxintl

network-object object cirexxintldc

network-object object crxmail

access-list inside_access_out extended permit object-group All-service object-group internal-servers any

access-list inside_access_out extended permit object-group TCP_UDP object-group internal-servers any

pager lines 24

logging enable

logging buffer-size 1048576

logging buffered debugging

logging asdm informational

mtu outside 1500

mtu inside 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-714.bin

no asdm history enable

arp timeout 14400

arp permit-nonconnected

nat (inside,outside) source dynamic any internal-servers

access-group inside_access_out out interface inside

route outside 0.0.0.0 0.0.0.0 12.x.x.33 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 0.0.0.0 0.0.0.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 management

ssh timeout 15

ssh key-exchange group dh-group1-sha1

console timeout 0

threat-detection basic-threat

threat-detection statistics port

threat-detection statistics protocol

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

username admin password 571.UcWz1aqKyGh3 encrypted

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

  inspect icmp

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:38c3e7a94d8863770e325b9dcc564360

: end

crxasa#

Re: install transparent asa into existing network with public ip

Hi carlo,

How's everything going buddy????

Man are all of the inside hosts on the network 208.x.x.0/24 ?

Rate all of the helpful posts!!!

Regards,

Jcarvaja

Follow me on http://laguiadelnetworking.com

Looking for some Networking Assistance? Contact me directly at jcarvaja@laguiadelnetworking.com I will fix your problem ASAP. Cheers, Julio Carvajal Segura http://laguiadelnetworking.com
513
Views
0
Helpful
35
Replies