https://community.cisco.com/t5/network-security/asa-in-transparent-mode/m-p/620656#M1035771 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>thanks for your answer <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P></P><P>The source network is the internal LAN (10.19.0.x/24) and the destination is a brnch office with IP network 10.19.64.x/24). The routing should be handled by the "left" Layer-3 Switch, which has a route to 10.19.64.x/24 over the "right" Layer-3 Switch. These two switches are connected with a trunk. IMHO the ASA should never see the traffic destined for this network, because the switch should route it over the trunk...</P><P></P><P>Regards</P><P>Bernd</P><P></P></BODY></HTML> Thu, 30 Nov 2006 04:44:39 GMT bprobst 2006-11-30T04:44:39Z https://community.cisco.com/t5/network-security/asa-in-transparent-mode/m-p/620654#M1035767 <P>Hi,</P><P></P><P>i ran into a problem when trying to install an ASA Security Appliance with AIP-SSM in transparent firewall mode.</P><P>Please see the both attachments network-with-asa.pdf and network-without-asa.pdf which will introduce you to the network.</P><P>The first picture you should have a look to is network-without-asa.pdf. In this case everythings work fine. All devices are able to connect to the network 10.19.64.x (right router) and to the internet (left router).</P><P>Now i plugged in the ASA in transparent firewall mode to sniffer all traffic to the internet (network-with-asa.pdf). I don't understand what now happens: </P><P>All devices can connect to the internet, all Ping messages to 10.19.64.x are O.K., but neither TCP nor UDP connections can be established. There is a permit ip any any access-list statement in ASA and the ASA has an IP address in the network 10.119.x.x.</P><P>I thought ASA in transparent firewall mode is just like a "stealth device".</P><P>BTW: ASA is connected to the correct VLAN on the Layer-3-Switch <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P><P></P><P>Please see also this configuration of ASA:</P><P></P><P> ASA Version 7.2(1)</P><P>!</P><P>firewall transparent</P><P>hostname ciscoasa</P><P>domain-name xxx.de</P><P>enable password xxx</P><P>names</P><P>!</P><P>interface Ethernet0/0</P><P> nameif inside</P><P> security-level 100</P><P>!</P><P>interface Ethernet0/1</P><P> nameif outside</P><P> security-level 0</P><P>!</P><P>interface Ethernet0/2</P><P> shutdown</P><P> no nameif</P><P> no security-level</P><P>!</P><P>interface Management0/0</P><P> nameif management</P><P> security-level 100</P><P> ip address 10.19.10.1 255.255.248.0</P><P> management-only</P><P>!</P><P>passwd xxx</P><P>ftp mode passive</P><P>dns server-group DefaultDNS</P><P> domain-name xxx.de</P><P>access-list 100 extended permit ip any any</P><P>access-list 100 extended permit icmp any any</P><P>access-list 101 extended permit ip any any</P><P>pager lines 24</P><P>logging console debugging</P><P>logging asdm informational</P><P>logging host management 10.19.10.3</P><P>mtu inside 1500</P><P>mtu outside 1500</P><P>mtu management 1500</P><P>ip address 10.119.128.10 255.255.255.0</P><P>icmp permit any inside</P><P>icmp permit any outside</P><P>icmp permit any management</P><P>asdm image disk0:/asdm521.bin</P><P>no asdm history enable</P><P>arp timeout 14400</P><P>access-group 100 in interface inside</P><P>access-group 100 in interface outside</P><P>route management 10.19.8.0 255.255.248.0</P><P>route management 0.0.0.0 0.0.0.0 10.119.128.250 1</P><P>timeout xlate 3:00:00</P><P>timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02</P><P>timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00</P><P>timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00</P><P>timeout uauth 0:05:00 absolute</P><P>http server enable</P><P>http 10.19.0.0 255.255.0.0 inside</P><P>no snmp-server location</P><P>no snmp-server contact</P><P>snmp-server enable traps snmp authentication linkup linkdown coldstart</P><P>telnet timeout 5</P><P>ssh 10.19.0.0 255.255.0.0 management</P><P>ssh timeout 5</P><P>console timeout 0</P><P>!</P><P>class-map inspection_default</P><P> match default-inspection-traffic</P><P>class-map ips</P><P> match access-list 101</P><P>!</P><P>!</P><P>policy-map type inspect dns preset_dns_map</P><P> parameters</P><P> message-length maximum 512</P><P>policy-map global_policy</P><P> class inspection_default</P><P> inspect dns preset_dns_map</P><P> inspect ftp</P><P> inspect h323 h225</P><P> inspect h323 ras</P><P> inspect rsh</P><P> inspect rtsp</P><P> inspect esmtp</P><P> inspect sqlnet</P><P> inspect skinny</P><P> inspect sunrpc</P><P> inspect xdmcp</P><P> inspect sip</P><P> inspect netbios</P><P> inspect tftp</P><P> class ips</P><P> ips promiscuous fail-open</P><P>!</P><P>service-policy global_policy global</P><P>prompt hostname context</P><P>Cryptochecksum:xxx</P><P>: end</P><P>ciscoasa#</P><P></P><P>Can someone tell me what is happening here???</P><P></P><P>Thanks in advance!!</P><P></P><P>Regards </P><P>Bernd</P><P></P><P> </P><P></P> Mon, 11 Mar 2019 09:01:50 GMT https://community.cisco.com/t5/network-security/asa-in-transparent-mode/m-p/620654#M1035767 bprobst 2019-03-11T09:01:50Z https://community.cisco.com/t5/network-security/asa-in-transparent-mode/m-p/620655#M1035769 <HTML><HEAD></HEAD><BODY><P>Hello, </P><P></P><P>What is the source/destination of the traffic that you are having an issue with? Your diagram doesn't make it clear if the traffic would even go through the ASA if destined for the 'right side' network. </P></BODY></HTML> Wed, 29 Nov 2006 22:31:40 GMT https://community.cisco.com/t5/network-security/asa-in-transparent-mode/m-p/620655#M1035769 jgervia_2 2006-11-29T22:31:40Z https://community.cisco.com/t5/network-security/asa-in-transparent-mode/m-p/620656#M1035771 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>thanks for your answer <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P></P><P>The source network is the internal LAN (10.19.0.x/24) and the destination is a brnch office with IP network 10.19.64.x/24). The routing should be handled by the "left" Layer-3 Switch, which has a route to 10.19.64.x/24 over the "right" Layer-3 Switch. These two switches are connected with a trunk. IMHO the ASA should never see the traffic destined for this network, because the switch should route it over the trunk...</P><P></P><P>Regards</P><P>Bernd</P><P></P></BODY></HTML> Thu, 30 Nov 2006 04:44:39 GMT https://community.cisco.com/t5/network-security/asa-in-transparent-mode/m-p/620656#M1035771 bprobst 2006-11-30T04:44:39Z https://community.cisco.com/t5/network-security/asa-in-transparent-mode/m-p/620657#M1035772 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>problem is solved <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span> </P><P>There is an HSRP configuration i didn't know about <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P><P></P><P>Regards</P><P>Bernd </P></BODY></HTML> Thu, 30 Nov 2006 09:26:43 GMT https://community.cisco.com/t5/network-security/asa-in-transparent-mode/m-p/620657#M1035772 bprobst 2006-11-30T09:26:43Z https://community.cisco.com/t5/network-security/asa-in-transparent-mode/m-p/620658#M1035773 <HTML><HEAD></HEAD><BODY><P>Hi,Bprobst</P><P></P><P>Would you pls let me know how to allow HSRP packet cross throug ASA?</P><P>My 2 ASAs are in A/A transparent mode.</P><P></P><P>Thanks a lot</P></BODY></HTML> Mon, 19 Nov 2007 12:21:07 GMT https://community.cisco.com/t5/network-security/asa-in-transparent-mode/m-p/620658#M1035773 mtlops 2007-11-19T12:21:07Z