ASA 5506-X Transparent mode dropping ARP replies

derekmccabe — Tue, 12 Mar 2019 07:17:24 GMT

Hi There,

I'm trying to configure a Cisco 5506-X running 9.5(2) as a transparent firewall in a lab:

The subnet is 10.1.50.0/24

My client PC (10.1.50.2/24) is on vlan 50

My upstream router (10.1.50.1/24) is the default gateway for the subnet on vlan 2050

The BVI is 10.1.50.100

My upstream router has an internet connection with nat-overload on internet interface

From my client PC (10.1.50.2/24) i can ping my default gateway (upstream router 10.1.50.1/24) through the transparent firewall without issue

However when I try to ping out to the internet (8.8.8.8) I get no response back

When I put my Client PC (10.1.50.2/24) and upstream router (10.1.50.1/24)on the same vlan 2050 I get echo replies from 8.8.8.8

I ran some captures on the inside and outside interfaces of the ASA - When I ping 8.8.8.8 from the Client PC I can see ARP requests for 8.8.8.8 on the inside interface but no replies:

ciscoasa# cap caparp ethernet-type arp int inside-50 re

Warning: using this option with a slow console connection may
         result in an excessive amount of non-displayed packets
         due to performance limitations.

Use ctrl-c to terminate real-time capture

   1: 07:39:51.702386       802.1Q vlan#50 P0 arp who-has 10.1.50.1 (d0:57:4c:e1:38:4f) tell 10.1.50.2
   2: 07:39:51.704156       802.1Q vlan#50 P0 arp reply 10.1.50.1 is-at d0:57:4c:e1:38:4f
   3: 07:39:59.658123       802.1Q vlan#50 P0 arp who-has 8.8.8.8 tell 10.1.50.2
   4: 07:40:00.202641       802.1Q vlan#50 P0 arp who-has 8.8.8.8 tell 10.1.50.2
   5: 07:40:01.202717       802.1Q vlan#50 P0 arp who-has 8.8.8.8 tell 10.1.50.2
   6: 07:40:02.205571       802.1Q vlan#50 P0 arp who-has 8.8.8.8 tell 10.1.50.2
   7: 07:40:03.202870       802.1Q vlan#50 P0 arp who-has 8.8.8.8 tell 10.1.50.2
   8: 07:40:04.202900       802.1Q vlan#50 P0 arp who-has 8.8.8.8 tell 10.1.50.2
   9: 07:40:05.205510       802.1Q vlan#50 P0 arp who-has 8.8.8.8 tell 10.1.50.2
10: 07:40:06.202977       802.1Q vlan#50 P0 arp who-has 8.8.8.8 tell 10.1.50.2
11: 07:40:07.203053       802.1Q vlan#50 P0 arp who-has 8.8.8.8 tell 10.1.50.2
12: 07:40:08.205693       802.1Q vlan#50 P0 arp who-has 8.8.8.8 tell 10.1.50.2
13: 07:40:09.203129       802.1Q vlan#50 P0 arp who-has 8.8.8.8 tell 10.1.50.2
14: 07:40:10.203190       802.1Q vlan#50 P0 arp who-has 8.8.8.8 tell 10.1.50.2
15: 07:40:11.205769       802.1Q vlan#50 P0 arp who-has 8.8.8.8 tell 10.1.50.2
16: 07:40:12.203267       802.1Q vlan#50 P0 arp who-has 8.8.8.8 tell 10.1.50.2
17: 07:40:13.203343       802.1Q vlan#50 P0 arp who-has 8.8.8.8 tell 10.1.50.2
18: 07:40:14.205998       802.1Q vlan#50 P0 arp who-has 8.8.8.8 tell 10.1.50.2
19: 07:40:15.203511       802.1Q vlan#50 P0 arp who-has 8.8.8.8 tell 10.1.50.2
20: 07:40:16.203480       802.1Q vlan#50 P0 arp who-has 8.8.8.8 tell 10.1.50.2
21: 07:40:17.206288       802.1Q vlan#50 P0 arp who-has 8.8.8.8 tell 10.1.50.2
22: 07:40:18.203602       802.1Q vlan#50 P0 arp who-has 8.8.8.8 tell 10.1.50.2
23: 07:40:19.203694       802.1Q vlan#50 P0 arp who-has 8.8.8.8 tell 10.1.50.2
23 packets shown.
0 packets not shown due to performance limitations.

However on the outside interface I can see ARP requests for 8.8.8.8 from the Clint PC and replies back from my upstream router (10.1.50.1/24 - d0:57:4c:e1:38:4f ) leading me to believe that the firewall is blocking the ARP replies:

ciscoasa# cap caparp ethernet-type arp int outside-50 re

Warning: using this option with a slow console connection may
         result in an excessive amount of non-displayed packets
         due to performance limitations.

Use ctrl-c to terminate real-time capture

   1: 07:40:45.174292       802.1Q vlan#2050 P0 arp who-has 8.8.8.8 tell 10.1.50.2
   2: 07:40:45.174978       802.1Q vlan#2050 P0 arp reply 8.8.8.8 is-at d0:57:4c:e1:38:4f
   3: 07:40:45.710671       802.1Q vlan#2050 P0 arp who-has 8.8.8.8 tell 10.1.50.2
   4: 07:40:45.711343       802.1Q vlan#2050 P0 arp reply 8.8.8.8 is-at d0:57:4c:e1:38:4f
   5: 07:40:46.710824       802.1Q vlan#2050 P0 arp who-has 8.8.8.8 tell 10.1.50.2
   6: 07:40:46.711511       802.1Q vlan#2050 P0 arp reply 8.8.8.8 is-at d0:57:4c:e1:38:4f
   7: 07:40:47.714669       802.1Q vlan#2050 P0 arp who-has 8.8.8.8 tell 10.1.50.2
   8: 07:40:47.715340       802.1Q vlan#2050 P0 arp reply 8.8.8.8 is-at d0:57:4c:e1:38:4f
   9: 07:40:48.710824       802.1Q vlan#2050 P0 arp who-has 8.8.8.8 tell 10.1.50.2
10: 07:40:48.711450       802.1Q vlan#2050 P0 arp reply 8.8.8.8 is-at d0:57:4c:e1:38:4f
11: 07:40:49.710900       802.1Q vlan#2050 P0 arp who-has 8.8.8.8 tell 10.1.50.2
12: 07:40:49.711572       802.1Q vlan#2050 P0 arp reply 8.8.8.8 is-at d0:57:4c:e1:38:4f
13: 07:40:50.713570       802.1Q vlan#2050 P0 arp who-has 8.8.8.8 tell 10.1.50.2
14: 07:40:50.714288       802.1Q vlan#2050 P0 arp reply 8.8.8.8 is-at d0:57:4c:e1:38:4f
15: 07:40:51.710992       802.1Q vlan#2050 P0 arp who-has 8.8.8.8 tell 10.1.50.2
16: 07:40:51.711724       802.1Q vlan#2050 P0 arp reply 8.8.8.8 is-at d0:57:4c:e1:38:4f
17: 07:40:52.711053       802.1Q vlan#2050 P0 arp who-has 8.8.8.8 tell 10.1.50.2
18: 07:40:52.711755       802.1Q vlan#2050 P0 arp reply 8.8.8.8 is-at d0:57:4c:e1:38:4f
19: 07:40:53.713677       802.1Q vlan#2050 P0 arp who-has 8.8.8.8 tell 10.1.50.2
20: 07:40:53.714333       802.1Q vlan#2050 P0 arp reply 8.8.8.8 is-at d0:57:4c:e1:38:4f
21: 07:40:54.711129       802.1Q vlan#2050 P0 arp who-has 8.8.8.8 tell 10.1.50.2
22: 07:40:54.711800       802.1Q vlan#2050 P0 arp reply 8.8.8.8 is-at d0:57:4c:e1:38:4f
23: 07:40:55.711190       802.1Q vlan#2050 P0 arp who-has 8.8.8.8 tell 10.1.50.2
24: 07:40:55.711892       802.1Q vlan#2050 P0 arp reply 8.8.8.8 is-at d0:57:4c:e1:38:4f
25: 07:40:56.713860       802.1Q vlan#2050 P0 arp who-has 8.8.8.8 tell 10.1.50.2
26: 07:40:56.714593       802.1Q vlan#2050 P0 arp reply 8.8.8.8 is-at d0:57:4c:e1:38:4f
27: 07:40:57.711343       802.1Q vlan#2050 P0 arp who-has 8.8.8.8 tell 10.1.50.2
28: 07:40:57.711984       802.1Q vlan#2050 P0 arp reply 8.8.8.8 is-at d0:57:4c:e1:38:4f
29: 07:40:58.711388       802.1Q vlan#2050 P0 arp who-has 8.8.8.8 tell 10.1.50.2
30: 07:40:58.713891       802.1Q vlan#2050 P0 arp reply 8.8.8.8 is-at d0:57:4c:e1:38:4f
31: 07:40:59.714028       802.1Q vlan#2050 P0 arp who-has 8.8.8.8 tell 10.1.50.2
32: 07:40:59.716408       802.1Q vlan#2050 P0 arp reply 8.8.8.8 is-at d0:57:4c:e1:38:4f
33: 07:41:00.711465       802.1Q vlan#2050 P0 arp who-has 8.8.8.8 tell 10.1.50.2
34: 07:41:00.715462       802.1Q vlan#2050 P0 arp reply 8.8.8.8 is-at d0:57:4c:e1:38:4f
35: 07:41:01.711572       802.1Q vlan#2050 P0 arp who-has 8.8.8.8 tell 10.1.50.2
36: 07:41:01.712197       802.1Q vlan#2050 P0 arp reply 8.8.8.8 is-at d0:57:4c:e1:38:4f
37: 07:41:02.714135       802.1Q vlan#2050 P0 arp who-has 8.8.8.8 tell 10.1.50.2
38: 07:41:02.715249       802.1Q vlan#2050 P0 arp reply 8.8.8.8 is-at d0:57:4c:e1:38:4f
39: 07:41:03.711663       802.1Q vlan#2050 P0 arp who-has 8.8.8.8 tell 10.1.50.2
40: 07:41:03.712319       802.1Q vlan#2050 P0 arp reply 8.8.8.8 is-at d0:57:4c:e1:38:4f
40 packets shown.
0 packets not shown due to performance limitations.

Here is the running config - it couldn't be more basic, has anyone had this issue before and could you please advise on the solution?

ciscoasa# sho run
: Saved

:
: Serial Number: JAD200406OG
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.5(2)
!
firewall transparent
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface GigabitEthernet1/1
no nameif
no security-level
!
interface GigabitEthernet1/1.50
vlan 50
nameif inside-50
bridge-group 1
security-level 0
!
interface GigabitEthernet1/1.100
vlan 100
nameif inside-100
bridge-group 2
security-level 0
!
interface GigabitEthernet1/2
no nameif
no security-level
!
interface GigabitEthernet1/2.200
vlan 200
nameif outside-100
bridge-group 2
security-level 100
!
interface GigabitEthernet1/2.2050
vlan 2050
nameif outside-50
bridge-group 1
security-level 100
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
!
interface Management1/1
management-only
shutdown
no nameif
no security-level
ip address 20.20.20.100 255.255.255.0
!
interface BVI1
ip address 10.1.50.100 255.255.255.0
!
interface BVI2
ip address 10.1.100.100 255.255.255.0
!
ftp mode passive
access-list inside-50 extended permit ip any any log
access-list inside-100 extended permit ip any any log
pager lines 24
logging enable
logging buffered debugging
mtu inside-50 1500
mtu inside-100 1500
mtu outside-100 1500
mtu outside-50 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp inside-50 8.8.8.8 d057.4ce1.384f
arp timeout 14400
no arp permit-nonconnected
access-group inside-50 in interface inside-50
access-group inside-100 in interface inside-100
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
no ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
mac-address-table static inside-50 d057.4ce1.384f
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:9d7e1c52a0993c5552b76dc666e0ae15
: end
ciscoasa#

You are missing a default

Marius Gunnerud — Sat, 13 Feb 2016 21:47:44 GMT

You are missing the following command:

same-security-traffic permit inter-interface

same-security-traffic permit intra-interface

Please remember to select a correct answer and rate helpful posts

posts

Or more accurately you are

Marius Gunnerud — Sat, 13 Feb 2016 21:49:09 GMT

Or more accurately you are missing

same-security-traffic permit inter-interface

for traffic flowing between interface with the same security level

Please remember to select a correct answer and rate helpful posts

Thanks for your response

derekmccabe — Sun, 14 Feb 2016 07:54:54 GMT

Thanks for your response Marius,

could you you explain why this is required when my inside interface for each bridge-group is security-level 0 and outside interface is security-level 100 please?

Sorry I read the config too

Marius Gunnerud — Sun, 14 Feb 2016 22:51:45 GMT

Sorry I read the config too fast and saw the 50 on the interface name instead. In that case your configuration looks correct. I will try to recreate the issue in my lab and let you know what I find. It will not be exact as I do not have a 5506 to test on.

Please remember to select a correct answer and rate helpful posts

That would be great Marius,

derekmccabe — Mon, 15 Feb 2016 07:30:48 GMT

That would be great Marius,

I look forward to hearing about your results as I have been able to find a workaround for this issue as yet

I am sorry to say that I have

Marius Gunnerud — Mon, 15 Feb 2016 22:46:33 GMT

I am sorry to say that I have not been able to reproduce the issue. I copied your configuration with the exception of one command:

arp inside-50 8.8.8.8 d057.4ce1.384f

I assume you added this to see if a static arp entry would help. But my pings were always successful.

have you tried reloading the ASA?

Please remember to select a correct answer and rate helpful posts

Hi Marius,

derekmccabe — Tue, 16 Feb 2016 07:53:27 GMT

Hi Marius,

Yes i have reloaded the device numerous times - i've given up on this one now

Many thanks for all of your time and effort I greatly appreciate it

Hi! I am currently having the

Stanislav Itkind — Mon, 15 May 2017 22:16:47 GMT

Hi! I am currently having the same problem with the same release. How had you solved it? if you had...

topic Or more accurately you are in Network Security

ASA 5506-X Transparent mode dropping ARP replies

You are missing a default

Or more accurately you are

Thanks for your response

Sorry I read the config too

That would be great Marius,

I am sorry to say that I have

Hi Marius,

Hi! I am currently having the