Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Passing Traffic Through ASA 5515-X Issue

I have a test environment that contains two Cisco 3560-X switches in router mode.  The ASA 5515-X firewall is currently configured in transparent mode between the two switches as follows:

3560X(inside LAN)--->Gi0/24-->Gi0/0-----ASA5515X--------Gi0/1<----Gi0/24<----3560X(DMZ LAN "outside")

I want the firewall to be physically connected between the two switches but do not need to currrently filter any traffic (filtering will be applied much later during development).

Both switches have several VLAN's (i.e. 115, 600, 900, etc.) with Gi0/24 configured as a trunk port.  The IP address of VLAN 600 on inside switch is set to 10.211.127.254 and had the default gateway of the switch set to this address.  The IP address of VLAN 600 on the DMZ switch is set to 10.211.127.9 as well as the default gateway for this switch.  Both switches have EIGRP running with the respective networks for each VLAN configured.  In transparent mode all directly connected interfaces must be in the same subnet and the ASA5515X is set with an ip address of 10.211.127.8. 

A static route is also configured for inside 10.211.10.0 255.255.255.0 10.211.127.254 with ACL entries that permit telnet and http to the ASA from this range.

I cannot get traffic (such as ping) to work from switch to switch through the ASA.  The first question I have is about bridge groups.  Interfaces on the ASA are currently set as follows:

Gi0/0

inside

security level 100

group BVI1

Gi0/1

outside (this goes to DMZ)

security level 0

group (not assigned)

I do not know if they have to be in the same bridge group.  I have tried to assign Gi0/1 to BVI1 but this drops my connection and I cannot access anything.

There is an option to "Enable traffic between two or more interfaces wich are configured with the same security levels" but when I se the security level on Gi0/1 to 100 is has no effect and drops communication if I assign it to BVI1.

I can upload the running configurations for each device if that would be more helpful than my explanation.  I'm not sure if transparent mode is the best choice for my configuration.

Everyone's tags (3)
1 ACCEPTED SOLUTION

Accepted Solutions
VIP Green

Re: Passing Traffic Through ASA 5515-X Issue

In routed mode you could set up a layer 3 interface on the 3560 and route everything, but if you are to pass VLANs then the only way the ASA is able to do this is through subinterfaces which are placed in those VLANs.

I see you have not named the subinterfaces and assigned security levels to the subinterfaces under Gig0/1 interface.  All interfaces are required to have a name and security level for them to be active.

--

Please remember to rate and select a correct answer
4 REPLIES
VIP Green

Passing Traffic Through ASA 5515-X Issue

What version ASA are you running?

it would help to see the configuration of the ASA, and the switches for that matter.  The interfaces connected to inside and DMZ need to be in the same bridge-group. So your configuration on the ASA shoud be something like this (taking in to consideration that there is to be no filtering between the two zones):

firewall transparent

int G0/0

security-level 100

nameif inside

bridge-group 1

no shut

int G0/1

security-level 0

nameif outside

bridge-group 1

no shut

int bvi 1

ip add 10.211.127.8 255.255.255.0

access-list ACL1 extended permit ip any any

access-group ACL1 in interface inside

access-group ACL1 in interface outside

--

Please remember to rate and select a correct answer
New Member

Re: Passing Traffic Through ASA 5515-X Issue

                  Sorry for the slow response - was at training for the rest of the week for things.

The ASA version is:  ASA Version 8.6(1)2

I also opened a case with Cisco TAC to assist with the configuration.  One of the issues I am having with the configuration in transparent mode is that the inbound/outbound interfaces do not support passing mutiple VLAN traffic from a switch configured using a trunk port.  This results in the ASA requiring sub-interfaces to permit traffic from each VLAN on the switch. 

I'm starting to think that re-configuring the ASA in routed mode may be a better approach?

I have attached the current configurations of one of the switches and the ASA.  The switch on the other side is similar to the one attached.

VIP Green

Re: Passing Traffic Through ASA 5515-X Issue

In routed mode you could set up a layer 3 interface on the 3560 and route everything, but if you are to pass VLANs then the only way the ASA is able to do this is through subinterfaces which are placed in those VLANs.

I see you have not named the subinterfaces and assigned security levels to the subinterfaces under Gig0/1 interface.  All interfaces are required to have a name and security level for them to be active.

--

Please remember to rate and select a correct answer
New Member

Re: Passing Traffic Through ASA 5515-X Issue

I decided to change from transparent mode to routed mode on the ASA.  There is a 4 interface limit on bridge groups required to run in transparent mode, and this did not accommodate the mutiple VLAN's because of the sub-interface requirement.  You are correct about the names and security levels.  I stopped configuration after running into the bridge-group limitation.  Thank you for your assistance.

1874
Views
0
Helpful
4
Replies
CreatePlease to create content