topic ASA5520 transparent firewall in Network Security

ASA5520 transparent firewall

mroes1234 — Tue, 12 Mar 2019 01:40:10 GMT

I'm trying to configure a transparent firewall. I have been loosely following:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008089f467.shtml

my management network is 10.10.0.0 while the connection I want to firewall (g0/0 - g0/1) is 10.11.0.0/24

However, there is no way to add that 'ip address' statement to the root of the config. I have tried version 8.4 and 9.0 of the ASA software.

Below is my config, it will not pass traffic:

# sr

: Saved

ASA Version 8.4(6)

command-alias exec sr show run

firewall transparent

hostname guestfw

enable password 2AUevpoV6wPBdTtM encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

interface GigabitEthernet0/0

nameif inside

security-level 100

interface GigabitEthernet0/1

nameif outside

security-level 0

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

interface Management0/0

nameif management

security-level 0

ip address 10.10.2.61 255.255.254.0

management-only

boot system disk0:/asa846-k8.bin

ftp mode passive

access-list outside ethertype permit any

pager lines 24

logging enable

logging console informational

logging buffered debugging

mtu inside 1500

mtu outside 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any outside

icmp permit any management

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

route management 10.10.0.0 255.255.0.0 10.10.3.254 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet timeout 5

ssh 10.10.0.0 255.255.0.0 management

ssh timeout 30

ssh version 2

ssh key-exchange group dh-group1-sha1

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

username mus3 password NKpF6OSnjbuhpso1 encrypted

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:86a0046a15a88d923dd4cf89da61cef3

: end

Re: ASA5520 transparent firewall

Jouni Forss — Tue, 07 May 2013 18:45:13 GMT

Hi,

I think you used to configure the "ip address" configuration in the global configuration mode in for example 8.2 software level.

In the later software levels you are using, you will have to configure a BVI interface

http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/i3.html#wp1931025

Before this, I think you need to assing the physical interfaces in "bridge-group"

http://www.cisco.com/en/US/docs/security/asa/asa84/command/reference/b.html#wp1373280

Hope this helps

Rememer to mark the reply as the correct answer if it did answer your question and/or rate helpfull answers

- Jouni

ASA5520 transparent firewall

Jouni Forss — Tue, 07 May 2013 18:46:58 GMT

Also,

The configuration guide should have more information related to the Transparent mode interface configurations

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/interface_start.html

- Jouni

Re: ASA5520 transparent firewall

mroes1234 — Tue, 07 May 2013 18:50:19 GMT

I have looked at that too. I tried setting bridge groups and a BVI like so (no change):

# sr

: Saved

ASA Version 8.4(6)

command-alias exec sr show run

firewall transparent

hostname guestfw

enable password 2AUevpoV6wPBdTtM encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

interface GigabitEthernet0/0

nameif inside

bridge-group 1

security-level 100

interface GigabitEthernet0/1

nameif outside

bridge-group 1

security-level 0

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

interface Management0/0

nameif management

security-level 0

ip address 10.10.2.61 255.255.254.0

management-only

interface BVI1

ip address 10.12.2.61 255.255.254.0

interface BVI10

no ip address

boot system disk0:/asa846-k8.bin

ftp mode passive

access-list outside ethertype permit any

pager lines 24

logging enable

logging console informational

logging buffered debugging

mtu inside 1500

mtu outside 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any outside

icmp permit any management

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

route management 10.10.0.0 255.255.0.0 128.180.3.254 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet timeout 5

ssh 10.10.0.0 255.255.0.0 management

ssh timeout 30

ssh version 2

ssh key-exchange group dh-group1-sha1

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

username mroes1234 password ***************** encrypted

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:f66af66c0053c0beecfbd5e6ae604f11

: end

ASA5520 transparent firewall

Jouni Forss — Tue, 07 May 2013 19:01:12 GMT

Hi,

What are you using for testing? ICMP?

If yes, then try to add the commands

fixup protocol icmp

fixup protocol icmp error

To enable ICMP inspection on the ASA

Also check the MAC address table of the ASA

show mac-address-table

And check if there there is any MAC addresses that the ASA had learned

- Jouni

Re: ASA5520 transparent firewall

mroes1234 — Tue, 07 May 2013 19:21:03 GMT

the only entry in the mac address table is the host directly connected to the inside interface.

ASA5520 transparent firewall

Jouni Forss — Tue, 07 May 2013 19:24:26 GMT

Hi,

Can you remove the IP address from the "management" interface. Its the same as the BVI interface.

Also add the above ICMP related configurations and try to ping some host on the same network as the test host and see if that works.

If that works then try to reach some remote network.

- Jouni

Re: ASA5520 transparent firewall

mroes1234 — Tue, 07 May 2013 19:56:22 GMT

Turns out, for some reason, the BVI interface needs to be on the same subnet that the FW is firewalling. The logic behind this eludes me.

ASA5520 transparent firewall

Jouni Forss — Tue, 07 May 2013 20:08:13 GMT

Hi,

I dont have that much expirience with the Transparent firewalls as I have not had the need to configure them in any customer environment.

To my understanding you can configure several bridge-groups on the firewall for each segment.

And the management/BVI IP address has to be on the same subnet as the connected segment. Otherwise the device wouldnt really be able to be managed remotely or it wouldnt be able to forward any from the box/to the box traffic.

In the same way when you have several L2 switches. You have one Vlan ID and interface per Switch usually and all configured with a separate IP address from the subnet so you can manage the device and the device knows where to forward traffic from the actual box.

The ASA also requires the IP address from the same network to be able to determine where to forward the traffic.

- Jouni

ASA5520 transparent firewall

mroes1234 — Tue, 07 May 2013 20:11:41 GMT

To your first point, there is no reason to have the *management* of the device on the subnet being firewalled. It makes more sense to have the management interface on the management network.

As far as your second point, the point of a layer-2 firewall is that it doesn't need to *know* where to forward traffic as it is a dumb bridge.

While I recognize the need to have this BVI on the same network as the traffic being bridged, these are not sufficient reasons to support this need.

ASA5520 transparent firewall

Jouni Forss — Tue, 07 May 2013 20:19:15 GMT

Hi,

The ASA configuration guide says the following

The ASA learns and builds a MAC address table in a similar way as a normal bridge or switch: when a device sends a packet through the ASA, the ASA adds the MAC address to its table. The table associates the MAC address with the source interface so that the ASA knows to send any packets addressed to the device out the correct interface.

Because the ASA is a firewall, if the destination MAC address of a packet is not in the table, the ASA does not flood the original packet on all interfaces as a normal bridge does. Instead, it generates the following packets for directly connected devices or for remote devices:

•Packets for directly connected devices—The ASA generates an ARP request for the destination IP address, so that the ASA can learn which interface receives the ARP response.

•Packets for remote devices—The ASA generates a ping to the destination IP address so that the ASA can learn which interface receives the ping reply.

- Jouni