03-03-2017 12:24 PM - edited 03-12-2019 02:00 AM
I'm trying to deal with the awful 5506-X firewall (and 5506H version). We brought them up to code version 9.7.1 and I tested with multiple devices; was able to reach the gateway (interface BVI1) from any device plugged in to a port in the bridge group. Unfortunately, I forgot to test getting from the bridge group to the outside. I tried putting one in production and it didn't work. I got a message stating "unable to locate egress interface" while pinging, and no traffic at all would get from the outside interface to the inside. The firewall itself couldn't even ping a device on a port in the bridge group. I wasn't able to test FROM the device, as it is an industrial control device and has no user interface.
Here's some of the config used:
interface bvi1
description SCADA
nameif SCADA
security-level 0
ip address 10.xxx.5.1 255.255.255.0
no shut
!
interface GigabitEthernet1/1
description TO CORE SWITCH
nameif BUSINESS
security-level 100
ip address 10.xxx.2.245 255.255.255.248
no shut
!
interface GigabitEthernet1/2
description SCADA
no nameif
security-level 0
bridge-group 1
no shut
!
route BUSINESS 0.0.0.0 0.0.0.0 10.xxx.2.241
!
(^Switch is a L3 3560CG with an SVI addressed as 10.xxx.2.241 255.255.255.248 and ip route 10.xxx.5.0 255.255.255.0 10.xxx.2.245, EIGRP running with redistribute static)
access-list BUSINESS_IN extended permit ip any any log
access-list BUSINESS_IN extended permit icmp any any log
access-list SCADA_IN extended permit ip any any log
access-list SCADA_IN extended permit icmp any any log
access-group BUSINESS_IN in interface BUSINESS
access-group SCADA_IN in interface SCADA
----------------------------------------------------------------------------
This is a testing period before implementing rules, so we're just allowing everything for now.
When I remove the bridge group setup and just put the config from BVI1 on Gig1/2 instead, everything works fine when a single node or a switch is plugged in to Gig1/2.
I have 10+ small sites that need this config on the 5506 and am under major pressure to get them going like yesterday. Any suggestions?
03-10-2017 08:33 AM
I got it figured out, and it is a mess. Each port has to have a nameif, but you can't put a port in the bridge group if it has a nameif, so you have to...
no nameif
bridge-group 1
nameif BLAH
AND THEN you have to repeat your access groups for EVERY port, AND THEN allow same zone traffic...
INT G1/2
DESC SCADA_1
BRIDGE-GROUP 1
NAMEIF SCADA_1
security-level 0
NO SHUT
!
INT G1/3
DESC SCADA_2
BRIDGE-GROUP 1
NAMEIF SCADA_2
security-level 0
NO SHUT
!
INT G1/4
DESC SCADA_3
BRIDGE-GROUP 1
NAMEIF SCADA_3
security-level 0
NO SHUT
!
access-group SCADA_IN in interface SCADA
access-group SCADA_IN in interface SCADA_1
access-group SCADA_IN in interface SCADA_2
access-group SCADA_IN in interface SCADA_3
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
06-09-2017 02:13 PM
Hi Jason - did you get your NAT to work with the multiple interfaces and use PAT to outside interface?
07-11-2017 01:54 AM
https://supportforums.cisco.com/discussion/13330246/asa-5505-5506-replacement-using-5506-bridged-switched-ports-and-vpn-98x
07-25-2017 06:41 AM
Wow. I'm SO glad I didn't have to do any of that stuff...no VPN, no NAT/PAT, no DHCP for devices behind the firewall, ssh/https to the non-bridged interface only. I actually left that project before 9.8 came out...that's life in contracting.
07-25-2017 06:39 AM
Been a while since I came back here. Fast paced so I really moved on after working this out. I actually didn't need to do any NAT/PAT. This was entirely on a private network...microwave links shooting 30 miles out in to the middle of nowhere, etc.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide