Solved: Re: Config of new ASA 5510 transparent mode

Carlomd · ‎10-22-2013

Hi all,

I'm new to ASA's and also since it's been a while since I configured any Cisco device, I'm re-learning most of this stuff, we got a new asa 5510 (actually a refurb) and need to get it setup into our existing network, I read it would be easier to put it in transparent mode than router if you have an existing network and dont wanna redo the whole thing.

Our current setup right now is, internet > cisco leased router(with a set of external ip's from ATT) > juniper ns25(our internal set of ip's mipped with the external) > internal network. So far I've put the asa in transparent mode and got the basics configured reading from some of the docs here and even some youtube vids, I've read the docs on transparent mode for the ASA's, one question is on the BVI 1, it won't allow me to put the same ip range as my internal, it needed a different one like right now I have 192.168.1.1 on it, I know there might be a few more things needed to get it right, here's my running conf right now, if you have any pointers or ideas to get me in the right direction, thanks in advanced.

carlo

crxasa# sh run

: Saved

:

ASA Version 9.1(2)8

!

firewall transparent

hostname crxasa

domain-name domain.com

enable password jtiwndTuzIDdTcxA encrypted

names

!

interface Ethernet0/0

nameif outside

security-level 0

!

interface Ethernet0/1

nameif inside

security-level 100

!

interface Ethernet0/2

shutdown

no nameif

no security-level

!

interface Ethernet0/3

shutdown

no nameif

no security-level

!

interface Management0/0

management-only

nameif management

security-level 100

ip address 192.168.1.1

!

interface BVI1

ip address 208.36.7.11

!

boot system disk0:/asa912-8-k8.bin

ftp mode passive

clock timezone PST -8

clock summer-time PDT recurring

dns server-group DefaultDNS

domain-name domain.com

pager lines 24

logging enable

logging asdm informational

mtu management 1500

mtu outside 1500

mtu inside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-714.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 0.0.0.0 0.0.0.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 management

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

username admin password 571.UcWz1aqKyGh3 encrypted

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:37fe70a1f301b2adb5136c6fce4ca9de

: end

crxasa#

jumora · ‎10-22-2013

OK the BVI interface IP needs to be within the range of the network that is inter-connecting, so if you need to ARP for traffic on the 208.36.7.0/24 that would be the IP that you need to put on the BVI. If that is the case remove it from the configuration of the management interface if not the configuration is correct and you are just missing the next:

Then you need to add the interfaces that inter-connect on to the bridge-group:

interface Ethernet0/0

nameif OUTSIDE

bridge-group 1

security-level 0

interface Ethernet0/1

nameif inside

bridge-group 1

security-level 100

Specifies the management IP address for the bridge group.

Do not assign a host address (/32 or 255.255.255.255) to the bridge group. Also, do not use other subnets that contain fewer than 3 host addresses (one each for the upstream router, downstream router, and transparent firewall) such as a /30 subnet (255.255.255.252). The ASA drops all ARP packets to or from the first and last addresses in a subnet. Therefore, if you use a /30 subnet and assign a reserved address from that subnet to the upstream router, then the ASA drops the ARP request from the downstream router to the upstream router.

The ASA does not support traffic on secondary networks; only traffic on the same network as the management IP address is supported.

If by any chance you getting ARP from none direclty connected networks on the bridge please define:

arp permit-nonconnected

Value our effort and rate the assistance!

View solution in original post

jumora · ‎10-23-2013

Great to here that I put you on the right track, have a nice one.

FYI: If you believe that your questions have been answered please change the status to answered.

Value our effort and rate the assistance!

View solution in original post

jumora · ‎10-23-2013

So you got to do this over console, what you can do to avoid getting disconnected is the next, and this is me thinking that you have a laptop connected to the ASA and not through your network.

Reload the ASA, it will come back up with the previous configuration if you saved it; log into the unit and instead of removing the IP address from the interface Management0/0 overwrite it and also remove the IP address from the BVI, folllow this example:

enable

config t

interface BVI1

no ip address 192.168.1.1 255.255.255.0

enable

config t

interface Management0/0

ip address 192.168.1.1 255.255.255.0

You will lose connection for a moment but as soon as you reconfigure your LAN adapter to the 192.168.1.0/24 network you should be able to connect.

The reconfigure the BVI to the network that you need:

enable

config t

interface BVI1

ip address

FYI: If you are near to the unit I would just console before I get everything set up.

Value our effort and rate the assistance!

View solution in original post

jumora · ‎10-25-2013

1. If I need to get our external public IP's from ATT to map with any of our internal sources like www and smtp, I just add those through acl's right, on our old juniper we used mip to set the external ip's with internal then allowed or denied in policies.

Yes, only ACLs, make sure that you apply access-group on the lower security interface.

2. Do I have to use nat, I'm in trasparent mode and I wonder if that would be required.

Only if you requiere the ASA to do so because the device behind it is on a private network that is not routable over the Internet and your upstream device (ATT device) does not do NAT.

Value our effort and rate the assistance!

View solution in original post

jumora · ‎10-22-2013

OK the BVI interface IP needs to be within the range of the network that is inter-connecting, so if you need to ARP for traffic on the 208.36.7.0/24 that would be the IP that you need to put on the BVI. If that is the case remove it from the configuration of the management interface if not the configuration is correct and you are just missing the next:

Then you need to add the interfaces that inter-connect on to the bridge-group:

interface Ethernet0/0

nameif OUTSIDE

bridge-group 1

security-level 0

interface Ethernet0/1

nameif inside

bridge-group 1

security-level 100

Specifies the management IP address for the bridge group.

Do not assign a host address (/32 or 255.255.255.255) to the bridge group. Also, do not use other subnets that contain fewer than 3 host addresses (one each for the upstream router, downstream router, and transparent firewall) such as a /30 subnet (255.255.255.252). The ASA drops all ARP packets to or from the first and last addresses in a subnet. Therefore, if you use a /30 subnet and assign a reserved address from that subnet to the upstream router, then the ASA drops the ARP request from the downstream router to the upstream router.

The ASA does not support traffic on secondary networks; only traffic on the same network as the management IP address is supported.

If by any chance you getting ARP from none direclty connected networks on the bridge please define:

arp permit-nonconnected

Value our effort and rate the assistance!

Carlomd · ‎10-23-2013

Hi Jumora, thanks for the help, so basically my internal ip needs to be in the BVI config and give that its own management ip, and remove the actual management port ip, I'm thinking of re-doing it over, maybe configuring the e0/0 and 0/1 first with the bvi group and add it's management ip, then followed by the actual int management port config. I'll let you know how it goes, I think I'll go through a few trial and error here, it's on a lab setup so I can break it down and start over. Thanks again

carlo

jumora · ‎10-23-2013

Great to here that I put you on the right track, have a nice one.

FYI: If you believe that your questions have been answered please change the status to answered.

Value our effort and rate the assistance!

Carlomd · ‎10-23-2013

So I went and removed the management int ip and gave that to the bvi int, but it won't allow me to put an ip to the management int, I don't have a way to access asdm or ssh now or is that done through the bvi int now but I can't ping the bvi ip. Somehow the system is not allowing me to put my internal ip's on both the bvi and man int, any ideas, thanks

carlo

jumora · ‎10-23-2013

So you got to do this over console, what you can do to avoid getting disconnected is the next, and this is me thinking that you have a laptop connected to the ASA and not through your network.

Reload the ASA, it will come back up with the previous configuration if you saved it; log into the unit and instead of removing the IP address from the interface Management0/0 overwrite it and also remove the IP address from the BVI, folllow this example:

enable

config t

interface BVI1

no ip address 192.168.1.1 255.255.255.0

enable

config t

interface Management0/0

ip address 192.168.1.1 255.255.255.0

You will lose connection for a moment but as soon as you reconfigure your LAN adapter to the 192.168.1.0/24 network you should be able to connect.

The reconfigure the BVI to the network that you need:

enable

config t

interface BVI1

ip address

FYI: If you are near to the unit I would just console before I get everything set up.

Value our effort and rate the assistance!

Carlomd · ‎10-23-2013

Yes I'm consoled into it, I'll give this a shot, I'll keep you posted, thanks

carlo

Carlomd · ‎10-25-2013

Hi all,

Finally got back to this project again, so I've had this in an internal lab setup, but I wanted to test this with our isp connection over the weekend, I been reading around some more to get familiar with the ASA, couple of questions.

1. If I need to get our external public IP's from ATT to map with any of our internal sources like www and smtp, I just add those through acl's right, on our old juniper we used mip to set the external ip's with internal then allowed or denied in policies.

2. Do I have to use nat, I'm in trasparent mode and I wonder if that would be required.

Coming from Juniper using the web interface the ASA can get daunting but I just need to get the hang of it, but there's a lot of good guides here and a pretty great support forum, looking fwd to finishing this project. Thanks

carlo

jumora · ‎10-25-2013

1. If I need to get our external public IP's from ATT to map with any of our internal sources like www and smtp, I just add those through acl's right, on our old juniper we used mip to set the external ip's with internal then allowed or denied in policies.

Yes, only ACLs, make sure that you apply access-group on the lower security interface.

2. Do I have to use nat, I'm in trasparent mode and I wonder if that would be required.

Only if you requiere the ASA to do so because the device behind it is on a private network that is not routable over the Internet and your upstream device (ATT device) does not do NAT.

Value our effort and rate the assistance!

Carlomd · ‎10-29-2013

Hi jumora, I got into a road block here with my config on the acl's, I have an asa book, and I read the config part of a transparent fw but somehow I can't get my lab setup to work going into the private lan, going out is fine since a rule of 100 allows most access outgoing, and seems like the samples on the book are outdated since I'm on asa9.1, can you take a look at my config and see what I'm missing, my setup in the lab is:

internal network >>outside int>>inside int>>switch>>pc, there's no router facing the inside int as what some samples show and I was wondering if that's the main issue, like now I'm testing rdp into the private lan and it won't work.

here's my basic config mainly showing acl's :

crxasa(config)# sh run
: Saved
:
ASA Version 9.1(2)8
!
firewall transparent
hostname crxasa
domain-name domain.com
enable password jtiwndTuzIDdTcxA encrypted
names
!
interface Ethernet0/0
nameif outside
bridge-group 1
security-level 0
!
interface Ethernet0/1
nameif inside
bridge-group 1
security-level 100
!
interface Ethernet0/2
shutdown
no nameif
no security-level
!
interface Ethernet0/3
shutdown
no nameif
no security-level
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface BVI1
ip address 208.x.x.x 255.255.255.0
!
boot system disk0:/asa912-8-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
domain-name domain.com
access-list outside-in extended permit icmp any any echo-reply
access-list outside-in extended permit icmp any any unreachable
access-list outside-in extended permit icmp any any traceroute
access-list outside-in extended permit icmp any any time-exceeded
access-list outside-in extended permit udp any any eq domain
access-list outside-in extended permit tcp any host 208.x.x.x eq 3389
http server enable

: end
crxasa#

jumora · ‎10-29-2013

Can you get me the show ARP, what is the IP of the layer 3 device that is in front of the ASA? I need to know if the BVI IP address is under the same range.

On the ASA enable logging

logging on

logging buffered debugging

logging buffer-size 1048576

when you generate traffic look at the logs with "show log" and send me the output.

Value our effort and rate the assistance!

Carlomd · ‎10-30-2013

Ok here's my arp and log attached, and my lab in the network is like below, the layer 3 device in front of the asa would be the leased router from ATT that connects to our internal network, I don't manage that, that will have ATT's public ip.

internal network (208.36.7.0)

|

layer 2 linksys sw

|

outside int of asa>>bvi 1 (208.36.7.11)

|

inside int of asa>>bvi 1 (208.36.7.11)

|

2900 catalyst sw (208.36.7.96)

|

PC (208.36.7.4), 2nd nic is for management int (192.168.1.1)

Carlomd · ‎10-30-2013

Hi all,

I decided to change my config on the acl to object-groups and when I try to put them together to create an access-list I get this error, I'm still learning to get the hang of the ASA cli, the syntax is pretty tricky, I was reading the section on object groups in the asa book, seems like the sample doesn't work with asa 9.1, is there any config samples for 9.1 on object grouping and acl's, thanks in advanced -

crxasa# conf t
crxasa(config)# sh obj
object-group protocol TCP_UDP
description: Grouping of TCP and UDP protocols
protocol-object tcp
protocol-object udp
object-group service All-service
description: grouping of all services

service-object gre
service-object icmp echo
service-object tcp destination eq www
service-object udp destination eq domain
object-group network internal-servers
network-object host 208.36.7.4
object-group network internet-hosts
network-object host 208.36.7.98
crxasa(config)# access-list outside_access_in extended permit object-group TCP_UDP object-group All-service object-group internal-servers
ERROR: specified object group has wrong type; expecting network type
Usage:
Extended access list:
Use this to configure policy for IP traffic through the firewall

jumora · ‎10-31-2013

Ok, look the issue is related to the format:

object-group TCP_UDP >>>>>> This is related to TCP and UDP as protocols

object-group All-service >>>>>> This is related to GRE that is a protocol then ICMP that is a protocol and then you mention TCP port 80 and UDP 53

object-group internal-servers >>>>> that mentions a server IP 208.36.7.4

You cannot combine different objects related to protocols.

Tell me what you want to allow a towards where and I can help you with the format.

Value our effort and rate the assistance!

Carlomd · ‎11-01-2013

Jumora,

I got that from the 2nd ed asa book samples for acl grouping, I attached some screens from the book, I was following the samples but just changing the ip's to my internal network, basically I'm just trying to get 208.36.7.98(this is on my interet hosts obj group) on the outside to be able to get to 3389, http, smtp to the inside 208.36.7.4 (I put this on my internal servers obj group)

I will need to use acl grouping to save from having a ton of entries. I just need to get the hang of the syntax, on my juniper I used the web interface so it was easy to create the entries, but I wanted to start right with the ASA using cli and get the hang of it.

update: got the access-list to accept the syntax, I needed to add object-group all-services and tcp_udp seperately. I thought you can combine them in one command. It's getting clearer to me now, got the 1st access rule set and working. Thanks for all your help and pointers.