asa 5505 transparent mode dosnt pass traffic

Tagir Temirgaliyev — Tue, 12 Mar 2019 00:33:19 GMT

Hi all,

need help

asa 5505 do not pass traffic as a patch cord, how to make it pass traffic?

ciscoasa# sh ver

Cisco Adaptive Security Appliance Software Version 8.2(5)

Device Manager Version 6.4(5)

Compiled on Fri 20-May-11 16:00 by builders

System image file is "disk0:/asa825-k8.bin"

Config file at boot was "startup-config"

ciscoasa up 55 mins 31 secs

Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz

Internal ATA Compact Flash, 128MB

BIOS Flash Firmware Hub @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)

Boot microcode : CN1000-MC-BOOT-2.00

SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03

IPSec microcode : CNlite-MC-IPSECm-MAIN-2.05

0: Int: Internal-Data0/0 : address is e4d3.f193.9486, irq 11

1: Ext: Ethernet0/0 : address is e4d3.f193.947e, irq 255

2: Ext: Ethernet0/1 : address is e4d3.f193.947f, irq 255

3: Ext: Ethernet0/2 : address is e4d3.f193.9480, irq 255

4: Ext: Ethernet0/3 : address is e4d3.f193.9481, irq 255

5: Ext: Ethernet0/4 : address is e4d3.f193.9482, irq 255

6: Ext: Ethernet0/5 : address is e4d3.f193.9483, irq 255

7: Ext: Ethernet0/6 : address is e4d3.f193.9484, irq 255

8: Ext: Ethernet0/7 : address is e4d3.f193.9485, irq 255

9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255

10: Int: Not used : irq 255

11: Int: Not used : irq 255

Licensed features for this platform:

Maximum Physical Interfaces : 8

VLANs : 3, DMZ Restricted

Inside Hosts : 10

Failover : Disabled

VPN-DES : Enabled

VPN-3DES-AES : Enabled

SSL VPN Peers : 2

Total VPN Peers : 10

Dual ISPs : Disabled

VLAN Trunk Ports : 0

Shared License : Disabled

AnyConnect for Mobile : Disabled

AnyConnect for Cisco VPN Phone : Disabled

AnyConnect Essentials : Disabled

Advanced Endpoint Assessment : Disabled

UC Phone Proxy Sessions : 2

Total UC Proxy Sessions : 2

Botnet Traffic Filter : Disabled

This platform has a Base license.

Configuration register is 0x1

Configuration last modified by enable_15 at 20:34:47.689 UTC Wed Dec 5 2012

ciscoasa#

ciscoasa# sh run

: Saved

ASA Version 8.2(5)

firewall transparent

hostname ciscoasa

enable password 8eeGnt0NEFObbH6U encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

interface Ethernet0/0

switchport access vlan 2

interface Ethernet0/1

interface Ethernet0/2

shutdown

interface Ethernet0/3

shutdown

interface Ethernet0/4

shutdown

interface Ethernet0/5

shutdown

interface Ethernet0/6

shutdown

interface Ethernet0/7

shutdown

interface Vlan1

nameif inside

security-level 100

interface Vlan2

nameif outside

security-level 0

ftp mode passive

access-list outs_in extended permit ip any any

access-list outs_in extended permit icmp any any

pager lines 24

mtu inside 1500

mtu outside 1500

no ip address

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

access-group outs_in in interface inside

access-group outs_in in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:234e9b9c6c9c941a89e37011325b6d5e

: end

ciscoasa#

ciscoasa# sh access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)

alert-interval 300

access-list outs_in; 2 elements; name hash: 0xd6c65ba5

access-list outs_in line 1 extended permit ip any any (hitcnt=0) 0x7d210842

access-list outs_in line 2 extended permit icmp any any (hitcnt=0) 0x5532fcc5

ciscoasa#

Re: asa 5505 transparent mode dosnt pass traffic

Tagir Temirgaliyev — Thu, 06 Dec 2012 04:45:49 GMT

solved

ciscoasa(config)# ip address 192.168.175.1 255.255.255.0

without ip address configured it dosnt work

now it works

ciscoasa# sh access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)

alert-interval 300

access-list outs_in; 2 elements; name hash: 0xd6c65ba5

access-list outs_in line 1 extended permit ip any any (hitcnt=16) 0x7d210842

access-list outs_in line 2 extended permit icmp any any (hitcnt=0) 0x5532fcc5

access-list ins_in; 1 elements; name hash: 0xd9482c1b

access-list ins_in line 1 extended permit ip any any (hitcnt=37) 0xc1d2e7b7

Re: asa 5505 transparent mode dosnt pass traffic

Julio Carvajal — Thu, 06 Dec 2012 05:12:34 GMT

Hello,

Exactly... Good to know it is working now.

Do you know why it needs the IP address ( as a transparent firewall)???

The ASA will act as a layer 2 device right, transparent to the network but what happens when the ASA does not know about a particular destination mac-address.. What would be the source ip address of that packet??? The ASA's Ip address. So that is the main reason why we need that.

We also use it for managment traffic to the box and for AAA services ( if authentication is used the ASA will send the AAA authentication request to the server) with this source IP address.

Please mark the question as answered, so future users can learn from this

Julio Carvajal

Costa Rica

topic Re: asa 5505 transparent mode dosnt pass traffic in Network Security

asa 5505 transparent mode dosnt pass traffic

Re: asa 5505 transparent mode dosnt pass traffic

Re: asa 5505 transparent mode dosnt pass traffic