Cisco ASA: transparent mode / bridge group / DHCP traffic blocked

tom.fransen — Fri, 22 Oct 2021 12:30:30 GMT

Hi,

I am stuck trying to get the following setup to work on an ASA5506 running in transparent mode.

We use this setup to filter some traffic between our device and the corporate network.

We use the ASA5506 (running firmware 9.14) in the following setup:

- Port 1: outside zone (Corporate network)

- Port 2: inside zone

- Port 3: inside2 zone

Goal:

- We want to apply some simple filtering rules to the traffic that comes into and goes out of the outside zone.

- Devices connected to port 2 and 3 can communicate without any restriction (no rules)

- The DHCP server is located on the outside zone so DHCP should be allowed.

Problem: The firewall however not allow the DHCP traffic to pass from port 1 to port 2 and 3

The logging shows:

Oct 22 2021 13:13:35: %ASA-7-710005: UDP request discarded from 0.0.0.0/68 to inside:255.255.255.255/67

Questions:

1. Why is the DHCP traffic blocked?

2. Can I have 3 ports that are part of the same BVI or is there another way to get the required functionality?

Regard,

Here is part of the configuration:

firewall transparent

interface BVI1
 ip address 192.168.0.1 255.255.255.0
 ipv6 enable

interface GigabitEthernet1/1
nameif outside
bridge-group 1
security-level 0
no shutdown
! 
interface GigabitEthernet1/2
nameif inside
bridge-group 1
security-level 100
no shutdown
!
interface GigabitEthernet1/3
nameif inside2
bridge-group 1
security-level 100
no shutdown

....
....
clear configure access-list
!
access-list outside_access_in extended permit ip any any log disable 
access-list outside_access_in extended permit object-group SERVICES_ICMPV4 any any log disable 
access-list outside_access_in extended permit object-group SERVICES_ICMPV6 any any log disable 
!
!==============================================================================
! Access List Configuration: inside to outside
!==============================================================================
access-list inside_access_out extended permit ip any any log disable 
access-list inside_access_out extended permit object-group SERVICES_ICMPV4 any any log disable 
access-list inside_access_out extended permit object-group SERVICES_ICMPV6 any any log disable 
!
access-group outside_access_in in interface outside
access-group inside_access_out out interface outside
same-security-traffic permit inter-interface 

arp permit-nonconnected

Re: Cisco ASA: transparent mode / bridge group / DHCP traffic blocked

balaji.bandi — Fri, 22 Oct 2021 16:27:20 GMT

where is the DHCP Server - add below rule and test it

access-list XXXXXXXXXXXX extended permit udp host 0.0.0.0 eq bootpc host 255.255.255.255 eq bootps (XXXXX direction in or out)

topic Cisco ASA: transparent mode / bridge group / DHCP traffic blocked in Network Security

Cisco ASA: transparent mode / bridge group / DHCP traffic blocked

Re: Cisco ASA: transparent mode / bridge group / DHCP traffic blocked