topic Re: Cisco ASA5508-X Transparency Mode Won't Work in Network Security

Cisco ASA5508-X Transparency Mode Won't Work

CAPrince — Sun, 28 Apr 2024 19:39:03 GMT

I have been trying to set up ASA5508-X in transparency mode for a few months. I want to use transparency mode so I can drop it in an existing network. I get frustrated and put it aside for a while; let me head clear and try again. Transparency mode does not seem complicated. I have it in transparency mode, ASDM 7.8 is working, SSH working and I can get in with a console cable. My problem is the ASA doesn’t pass anything. On my lab network I have a laptop (192.168.2.20), a WAP (192.168.2.5), the ASA (192.168.2.252) and a 2951 router (192.168.2.1). From the laptop I can ping the WAP and ASA. From the ASA I can ping the router, WAP and laptop. From the router I can ping only the ASA. The ASA is ver 9.8.

The code is below. Most of the code was auto generated when I put it in transparent mode. I addes lines to make the ASDM , SSH, log server, time, generally the simple stuff.
!
firewall transparent
hostname xxxxxxx-5508-ASA1
domain-name xxxxxxx.com
enable password xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
names

!
interface GigabitEthernet1/1
bridge-group 1
nameif outside
security-level 0
!
interface GigabitEthernet1/2
bridge-group 1
nameif inside
security-level 100
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
!
interface Management1/1
management-only
shutdown
no nameif
no security-level
!
interface BVI1
ip address 192.168.2.252 255.255.255.0
!
ftp mode passive
clock timezone cst -6
clock summer-time cst recurring 1 Sun Apr 2:00 last Sun Oct 2:00
dns server-group DefaultDNS
domain-name xxxxxxxxx
pager lines 24
logging enable
logging buffered debugging
logging trap notifications
logging asdm informational
logging host inside 192.168.2.8
mtu outside 1500
mtu inside 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history
http server enable
http 192.168.2.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 30
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics
threat-detection statistics tcp-intercept rate-interval 30 burst-rate 400 average-rate 200
ntp server 192.168.2.1
dynamic-access-policy-record DfltAccessPolicy
username xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class class-default
user-statistics accounting
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
hpm topN enable
Cryptochecksum:04d76864cd8f8a9701781ee6609fd6d6
: end

Just really stumped on this. Everything I have read has been simple. Set up outside port, setup inside port, bridge them and assign an IP to the bridge. From what I have read it is supposed to just work.

Re: Cisco ASA5508-X Transparency Mode Won't Work

johnd2310 — Mon, 29 Apr 2024 02:14:11 GMT

HI,

I am guessing the router is connected to the outside interface and the rest of the devices are connected to the inside interface.The ASA will allow traffic from the high security interface(100) to the low security interface(0) by default. For traffic to flow from the low security interface(0) to the high security interface(100), you need to configure an access-list to allow the traffic.

Configure an access list on your outside interface to allow traffic from the router to hit the devices on the inside.

Thanks

John

Re: Cisco ASA5508-X Transparency Mode Won't Work

MHM Cisco World — Mon, 29 Apr 2024 07:59:09 GMT

MHM

Re: Cisco ASA5508-X Transparency Mode Won't Work

Rob Ingram — Mon, 29 Apr 2024 07:23:52 GMT

@CAPrince I agree with @johnd2310 you will still need an Access Control List to explictly permit the traffic on the low security interface.

https://www.cisco.com/c/en/us/td/docs/security/asa/asa920/configuration/general/asa-920-general-config/intro-fw.html

https://integratingit.wordpress.com/2021/05/30/asa-transparent-mode/

Re: Cisco ASA5508-X Transparency Mode Won't Work

MHM Cisco World — Mon, 29 Apr 2024 07:58:43 GMT

I have little free time so I will give you some point to check

You have four device' and you config two port in ASA?

If the device connect to other port in ASA and use same bridge group then you need nameif for this port and secuirty level.

Now traffic from to with secuirty level

Transparent mode like router mode deal with secuity level port.

If the traffic from high to low no need ACL

If the traffic from low to high you sure need ACL

If the traffic inbetween device in same secuirty level then you need to run

Same sectuity intra/inter interface

Thanks

MHM

Re: Cisco ASA5508-X Transparency Mode Won't Work

CAPrince — Mon, 29 Apr 2024 16:52:02 GMT

@johnd2310 Yes; outside goes to the router, inside go to the rest. @MHM Cisco World For the test described above I have a 3750G switch utilizing VLAN 20 to power the WAP. to connect the laptop and ASA. The laptop has a static IP as I don't have a DHCP server on this network. I thought the VLAN might be creating issues so I took out the switch.

@Rob Ingram I will review all this in better detail shortly.

Re: Cisco ASA5508-X Transparency Mode Won't Work

MHM Cisco World — Mon, 29 Apr 2024 16:53:46 GMT

Sorry this PKT lab?

MHM

Re: Cisco ASA5508-X Transparency Mode Won't Work

CAPrince — Mon, 29 Apr 2024 21:08:52 GMT

Yes, I was using it draw out the network. I could have used Visio.

Re: Cisco ASA5508-X Transparency Mode Won't Work

MHM Cisco World — Wed, 01 May 2024 08:03:36 GMT

Just for draw it not Lab?

If Yes, then any connection to router is not in same subnet and this break the transparency of ASA

MHM