topic I haven't found a solution in Network Security

Transparent ASA between Client and its default Gateway

mo shea — Tue, 12 Mar 2019 06:45:00 GMT

Hello,

I am testing a 5520 ASA running 7.2(2) in Transparent mode. I have connected one PC to the inside (security 100) of the ASA, and connected the layer 3 device (non Cisco), which is the default Gateway of this PC, to the outside (security 0) of the ASA. A server is directly connected to the Layer 3 device. All the above are in the same vlan.

PC ---> (inside) ASA (outside) ---> L3 Gateway ---> Server

I have created two ACLs for the inside and outside interfaces permitting icmp and all IP for test sake.

The problem is that I cannot ping the Server or the L3 gateway from the PC. If I remove the ASA and connect PC directly then everything works fine. Once I reconnect the ASA there will be several Ping replies then I receive destination unreachable, although everything is in a single VLAN.

Is the ASA interfering with broadcast traffic between the PC and its Gateway, although Transparent mode should allow this? I have tried to add icmp inspect and also removed all inspection policies but still no result.

All help is appreciated.

Hi Mo, In transparent mode of

Rajneesh Dhiman — Wed, 14 Oct 2015 16:04:01 GMT

Hi Mo,

In transparent mode of Firewall, you needs to create 2 Vlans (1 for Inside and 1 for outside). Then create bridge group of the vlans (in/out).

Example: Configuration on Inside/outside interfaces:

interface GigabitEthernet0/0

    vlan 10
    nameif inside
    bridge-group 1
    security-level 100

interface GigabitEthernet0/1

    vlan 20
    nameif outside
    bridge-group 1
    security-level 0

Now please configure "BVI" interface in Firewall with one IP from the same IP Subnet for which you want to pass traffic through firewall:

interface BVI1

ip address 192.168.10.9 255.255.255.0 standby 192.168.10.10 (any free IP can be assigned from subnet)

Your layer 3 device should have same "interface Vlan" number as of Firewall Outside Inetrface vlan number (vlan 20 in this example).

Now, please allow interested traffic on ouside Interface via access-list. This will allow traffic through transparent firewall.

Hope this helps !!

Regards

Rajneesh

Thanks Rajneesh for the

mo shea — Wed, 14 Oct 2015 16:12:44 GMT

Thanks Rajneesh for the explanation.

Is the brdige-group required for ASA running 7.2(2) code, I thought this was introduced for 8.4 and later.

Regards,

Moe

Hi Moe,Sorry. You are right.

Rajneesh Dhiman — Wed, 14 Oct 2015 16:40:12 GMT

Hi Moe,

Sorry. You are right. Bridge group feature support on higher version. Please go through below link, this may help.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/fwmode.html#wp1201980

Regards

Rajneesh

I haven't found a solution

mo shea — Thu, 15 Oct 2015 02:17:48 GMT

I haven't found a solution yet. I thought it should be pretty straightforward. Is any static route required or perhaps some bug in 7.2(2) code ??

can you show the ACL you have

Andre Neethling — Thu, 15 Oct 2015 04:08:40 GMT

can you show the ACL you have on both interfaces? Have you tried to connect to the server with any other protocol besides ICMP? Did you check your log to see why the traffic is not allowed?