https://community.cisco.com/t5/network-security/asa-transparent-mode-allows-all-traffic/m-p/2797349#M165414 <P>I don't actually need ASA services in general, but I need only a possibility of ASA to filter hhtp-headers and url filtration. But anyway,</P> <P>Is it OK?</P> <P>interface GigabitEthernet0/0<BR /> nameif inside<BR /> bridge-group 1<BR /> security-level 100<BR />!<BR />interface GigabitEthernet0/1<BR /> nameif outside<BR /> bridge-group 1<BR /> security-level 0</P> <P>!</P> <P>access-list ALLOW-ANY ethertype permit any</P> <P>access-list ALLOW-ANY-IP extended permit ip any any</P> <P>!</P> <P>access-group ALLOW-ANY out interface inside<BR />access-group ALLOW-ANY-IP out interface inside</P> <P>!<BR />access-group ALLOW-ANY in interface outside<BR />access-group ALLOW-ANY-IP in interface outside</P> <P>!</P> <P>I need a piece of advice.</P> <P></P> <P>Thank you in advance.</P> Thu, 03 Dec 2015 13:35:58 GMT S.Girutskiy1 2015-12-03T13:35:58Z https://community.cisco.com/t5/network-security/asa-transparent-mode-allows-all-traffic/m-p/2797347#M165412 <P>Hello, everyone!</P> <P></P> <P>I'd like to know how I can allow any traffick to pass through ASA on transparent mode. My idea was to use the same security level on inside and outside interfaces. What do you think about it? What problems can I face?</P> <P></P> <P>Thank you!</P> <P></P> <P>P.S.</P> <P>&nbsp;ASA5585-SSP-60,&nbsp;Cisco Adaptive Security Appliance Software Version 9.1(5)21.</P> Tue, 12 Mar 2019 06:59:13 GMT https://community.cisco.com/t5/network-security/asa-transparent-mode-allows-all-traffic/m-p/2797347#M165412 S.Girutskiy1 2019-03-12T06:59:13Z https://community.cisco.com/t5/network-security/asa-transparent-mode-allows-all-traffic/m-p/2797348#M165413 <P>Is this in a production Scenario? Is your plan to apply ploicies on the traffic eventually?</P> <P>You can acieve this by adding Access rules to the traffic while still maintaining the Security levels where you want it for INSIDE and OUTSIDE traffic.</P> <P>You could do it with same security levels but you might run into some issues with traffic being inspected or not inspected through the firewall. So certain traffic may not be allowed dynamically. You&nbsp; have to configure "allow same security traffic through the firewall. This adds complexity to your config which may be difficult to undo when you decide to control traffic through your Firewall.</P> <P></P> Thu, 03 Dec 2015 12:54:33 GMT https://community.cisco.com/t5/network-security/asa-transparent-mode-allows-all-traffic/m-p/2797348#M165413 Andre Neethling 2015-12-03T12:54:33Z https://community.cisco.com/t5/network-security/asa-transparent-mode-allows-all-traffic/m-p/2797349#M165414 <P>I don't actually need ASA services in general, but I need only a possibility of ASA to filter hhtp-headers and url filtration. But anyway,</P> <P>Is it OK?</P> <P>interface GigabitEthernet0/0<BR /> nameif inside<BR /> bridge-group 1<BR /> security-level 100<BR />!<BR />interface GigabitEthernet0/1<BR /> nameif outside<BR /> bridge-group 1<BR /> security-level 0</P> <P>!</P> <P>access-list ALLOW-ANY ethertype permit any</P> <P>access-list ALLOW-ANY-IP extended permit ip any any</P> <P>!</P> <P>access-group ALLOW-ANY out interface inside<BR />access-group ALLOW-ANY-IP out interface inside</P> <P>!<BR />access-group ALLOW-ANY in interface outside<BR />access-group ALLOW-ANY-IP in interface outside</P> <P>!</P> <P>I need a piece of advice.</P> <P></P> <P>Thank you in advance.</P> Thu, 03 Dec 2015 13:35:58 GMT https://community.cisco.com/t5/network-security/asa-transparent-mode-allows-all-traffic/m-p/2797349#M165414 S.Girutskiy1 2015-12-03T13:35:58Z https://community.cisco.com/t5/network-security/asa-transparent-mode-allows-all-traffic/m-p/2797350#M165416 <P>That should work. You don't need the entries in the direction out on both interfaces. Is there any ethertype traffic you want to allow? Like cdp or other layer 2 protocols. If not then you don't need the ethertype acl.</P> Thu, 03 Dec 2015 14:19:23 GMT https://community.cisco.com/t5/network-security/asa-transparent-mode-allows-all-traffic/m-p/2797350#M165416 Andre Neethling 2015-12-03T14:19:23Z