10-22-2013 05:01 PM - edited 03-11-2019 07:54 PM
Hi all,
I'm new to ASA's and also since it's been a while since I configured any Cisco device, I'm re-learning most of this stuff, we got a new asa 5510 (actually a refurb) and need to get it setup into our existing network, I read it would be easier to put it in transparent mode than router if you have an existing network and dont wanna redo the whole thing.
Our current setup right now is, internet > cisco leased router(with a set of external ip's from ATT) > juniper ns25(our internal set of ip's mipped with the external) > internal network. So far I've put the asa in transparent mode and got the basics configured reading from some of the docs here and even some youtube vids, I've read the docs on transparent mode for the ASA's, one question is on the BVI 1, it won't allow me to put the same ip range as my internal, it needed a different one like right now I have 192.168.1.1 on it, I know there might be a few more things needed to get it right, here's my running conf right now, if you have any pointers or ideas to get me in the right direction, thanks in advanced.
carlo
crxasa# sh run
: Saved
:
ASA Version 9.1(2)8
!
firewall transparent
hostname crxasa
domain-name domain.com
enable password jtiwndTuzIDdTcxA encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
!
interface Ethernet0/1
nameif inside
security-level 100
!
interface Ethernet0/2
shutdown
no nameif
no security-level
!
interface Ethernet0/3
shutdown
no nameif
no security-level
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1
!
interface BVI1
ip address 208.36.7.11
!
boot system disk0:/asa912-8-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
domain-name domain.com
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-714.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 management
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username admin password 571.UcWz1aqKyGh3 encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:37fe70a1f301b2adb5136c6fce4ca9de
: end
crxasa#
Solved! Go to Solution.
10-22-2013 05:21 PM
OK the BVI interface IP needs to be within the range of the network that is inter-connecting, so if you need to ARP for traffic on the 208.36.7.0/24 that would be the IP that you need to put on the BVI. If that is the case remove it from the configuration of the management interface if not the configuration is correct and you are just missing the next:
Then you need to add the interfaces that inter-connect on to the bridge-group:
interface Ethernet0/0
nameif OUTSIDE
bridge-group 1
security-level 0
interface Ethernet0/1
nameif inside
bridge-group 1
security-level 100
Specifies the management IP address for the bridge group.
Do not assign a host address (/32 or 255.255.255.255) to the bridge group. Also, do not use other subnets that contain fewer than 3 host addresses (one each for the upstream router, downstream router, and transparent firewall) such as a /30 subnet (255.255.255.252). The ASA drops all ARP packets to or from the first and last addresses in a subnet. Therefore, if you use a /30 subnet and assign a reserved address from that subnet to the upstream router, then the ASA drops the ARP request from the downstream router to the upstream router.
The ASA does not support traffic on secondary networks; only traffic on the same network as the management IP address is supported.
If by any chance you getting ARP from none direclty connected networks on the bridge please define:
arp permit-nonconnected
10-23-2013 10:00 AM
Great to here that I put you on the right track, have a nice one.
FYI: If you believe that your questions have been answered please change the status to answered.
10-23-2013 10:26 AM
So you got to do this over console, what you can do to avoid getting disconnected is the next, and this is me thinking that you have a laptop connected to the ASA and not through your network.
Reload the ASA, it will come back up with the previous configuration if you saved it; log into the unit and instead of removing the IP address from the interface Management0/0 overwrite it and also remove the IP address from the BVI, folllow this example:
enable
config t
interface BVI1
no ip address 192.168.1.1 255.255.255.0
enable
config t
interface Management0/0
ip address 192.168.1.1 255.255.255.0
You will lose connection for a moment but as soon as you reconfigure your LAN adapter to the 192.168.1.0/24 network you should be able to connect.
The reconfigure the BVI to the network that you need:
enable
config t
interface BVI1
ip address
FYI: If you are near to the unit I would just console before I get everything set up.
10-25-2013 04:37 PM
1. If I need to get our external public IP's from ATT to map with any of our internal sources like www and smtp, I just add those through acl's right, on our old juniper we used mip to set the external ip's with internal then allowed or denied in policies.
Yes, only ACLs, make sure that you apply access-group on the lower security interface.
2. Do I have to use nat, I'm in trasparent mode and I wonder if that would be required.
Only if you requiere the ASA to do so because the device behind it is on a private network that is not routable over the Internet and your upstream device (ATT device) does not do NAT.
10-22-2013 05:21 PM
OK the BVI interface IP needs to be within the range of the network that is inter-connecting, so if you need to ARP for traffic on the 208.36.7.0/24 that would be the IP that you need to put on the BVI. If that is the case remove it from the configuration of the management interface if not the configuration is correct and you are just missing the next:
Then you need to add the interfaces that inter-connect on to the bridge-group:
interface Ethernet0/0
nameif OUTSIDE
bridge-group 1
security-level 0
interface Ethernet0/1
nameif inside
bridge-group 1
security-level 100
Specifies the management IP address for the bridge group.
Do not assign a host address (/32 or 255.255.255.255) to the bridge group. Also, do not use other subnets that contain fewer than 3 host addresses (one each for the upstream router, downstream router, and transparent firewall) such as a /30 subnet (255.255.255.252). The ASA drops all ARP packets to or from the first and last addresses in a subnet. Therefore, if you use a /30 subnet and assign a reserved address from that subnet to the upstream router, then the ASA drops the ARP request from the downstream router to the upstream router.
The ASA does not support traffic on secondary networks; only traffic on the same network as the management IP address is supported.
If by any chance you getting ARP from none direclty connected networks on the bridge please define:
arp permit-nonconnected
10-23-2013 09:39 AM
Hi Jumora, thanks for the help, so basically my internal ip needs to be in the BVI config and give that its own management ip, and remove the actual management port ip, I'm thinking of re-doing it over, maybe configuring the e0/0 and 0/1 first with the bvi group and add it's management ip, then followed by the actual int management port config. I'll let you know how it goes, I think I'll go through a few trial and error here, it's on a lab setup so I can break it down and start over. Thanks again
carlo
10-23-2013 10:00 AM
Great to here that I put you on the right track, have a nice one.
FYI: If you believe that your questions have been answered please change the status to answered.
10-23-2013 10:00 AM
So I went and removed the management int ip and gave that to the bvi int, but it won't allow me to put an ip to the management int, I don't have a way to access asdm or ssh now or is that done through the bvi int now but I can't ping the bvi ip. Somehow the system is not allowing me to put my internal ip's on both the bvi and man int, any ideas, thanks
carlo
10-23-2013 10:26 AM
So you got to do this over console, what you can do to avoid getting disconnected is the next, and this is me thinking that you have a laptop connected to the ASA and not through your network.
Reload the ASA, it will come back up with the previous configuration if you saved it; log into the unit and instead of removing the IP address from the interface Management0/0 overwrite it and also remove the IP address from the BVI, folllow this example:
enable
config t
interface BVI1
no ip address 192.168.1.1 255.255.255.0
enable
config t
interface Management0/0
ip address 192.168.1.1 255.255.255.0
You will lose connection for a moment but as soon as you reconfigure your LAN adapter to the 192.168.1.0/24 network you should be able to connect.
The reconfigure the BVI to the network that you need:
enable
config t
interface BVI1
ip address
FYI: If you are near to the unit I would just console before I get everything set up.
10-23-2013 10:41 AM
Yes I'm consoled into it, I'll give this a shot, I'll keep you posted, thanks
carlo
10-25-2013 04:13 PM
Hi all,
Finally got back to this project again, so I've had this in an internal lab setup, but I wanted to test this with our isp connection over the weekend, I been reading around some more to get familiar with the ASA, couple of questions.
1. If I need to get our external public IP's from ATT to map with any of our internal sources like www and smtp, I just add those through acl's right, on our old juniper we used mip to set the external ip's with internal then allowed or denied in policies.
2. Do I have to use nat, I'm in trasparent mode and I wonder if that would be required.
Coming from Juniper using the web interface the ASA can get daunting but I just need to get the hang of it, but there's a lot of good guides here and a pretty great support forum, looking fwd to finishing this project. Thanks
carlo
10-25-2013 04:37 PM
1. If I need to get our external public IP's from ATT to map with any of our internal sources like www and smtp, I just add those through acl's right, on our old juniper we used mip to set the external ip's with internal then allowed or denied in policies.
Yes, only ACLs, make sure that you apply access-group on the lower security interface.
2. Do I have to use nat, I'm in trasparent mode and I wonder if that would be required.
Only if you requiere the ASA to do so because the device behind it is on a private network that is not routable over the Internet and your upstream device (ATT device) does not do NAT.
10-29-2013 05:26 PM
Hi jumora, I got into a road block here with my config on the acl's, I have an asa book, and I read the config part of a transparent fw but somehow I can't get my lab setup to work going into the private lan, going out is fine since a rule of 100 allows most access outgoing, and seems like the samples on the book are outdated since I'm on asa9.1, can you take a look at my config and see what I'm missing, my setup in the lab is:
internal network >>outside int>>inside int>>switch>>pc, there's no router facing the inside int as what some samples show and I was wondering if that's the main issue, like now I'm testing rdp into the private lan and it won't work.
here's my basic config mainly showing acl's :
crxasa(config)# sh run
: Saved
:
ASA Version 9.1(2)8
!
firewall transparent
hostname crxasa
domain-name domain.com
enable password jtiwndTuzIDdTcxA encrypted
names
!
interface Ethernet0/0
nameif outside
bridge-group 1
security-level 0
!
interface Ethernet0/1
nameif inside
bridge-group 1
security-level 100
!
interface Ethernet0/2
shutdown
no nameif
no security-level
!
interface Ethernet0/3
shutdown
no nameif
no security-level
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface BVI1
ip address 208.x.x.x 255.255.255.0
!
boot system disk0:/asa912-8-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
domain-name domain.com
access-list outside-in extended permit icmp any any echo-reply
access-list outside-in extended permit icmp any any unreachable
access-list outside-in extended permit icmp any any traceroute
access-list outside-in extended permit icmp any any time-exceeded
access-list outside-in extended permit udp any any eq domain
access-list outside-in extended permit tcp any host 208.x.x.x eq 3389
http server enable
: end
crxasa#
10-29-2013 06:28 PM
Can you get me the show ARP, what is the IP of the layer 3 device that is in front of the ASA? I need to know if the BVI IP address is under the same range.
On the ASA enable logging
logging on
logging buffered debugging
logging buffer-size 1048576
when you generate traffic look at the logs with "show log" and send me the output.
10-30-2013 09:55 AM
Ok here's my arp and log attached, and my lab in the network is like below, the layer 3 device in front of the asa would be the leased router from ATT that connects to our internal network, I don't manage that, that will have ATT's public ip.
internal network (208.36.7.0)
|
|
layer 2 linksys sw
|
|
outside int of asa>>bvi 1 (208.36.7.11)
|
|
inside int of asa>>bvi 1 (208.36.7.11)
|
|
2900 catalyst sw (208.36.7.96)
|
|
PC (208.36.7.4), 2nd nic is for management int (192.168.1.1)
10-30-2013 05:00 PM
Hi all,
I decided to change my config on the acl to object-groups and when I try to put them together to create an access-list I get this error, I'm still learning to get the hang of the ASA cli, the syntax is pretty tricky, I was reading the section on object groups in the asa book, seems like the sample doesn't work with asa 9.1, is there any config samples for 9.1 on object grouping and acl's, thanks in advanced -
crxasa# conf t
crxasa(config)# sh obj
object-group protocol TCP_UDP
description: Grouping of TCP and UDP protocols
protocol-object tcp
protocol-object udp
object-group service All-service
description: grouping of all services
service-object gre
service-object icmp echo
service-object tcp destination eq www
service-object udp destination eq domain
object-group network internal-servers
network-object host 208.36.7.4
object-group network internet-hosts
network-object host 208.36.7.98
crxasa(config)# access-list outside_access_in extended permit object-group TCP_UDP object-group All-service object-group internal-servers
ERROR: specified object group
Usage:
Extended access list:
Use this to configure policy for IP traffic through the firewall
10-31-2013 10:44 AM
Ok, look the issue is related to the format:
object-group TCP_UDP >>>>>> This is related to TCP and UDP as protocols
object-group All-service >>>>>> This is related to GRE that is a protocol then ICMP that is a protocol and then you mention TCP port 80 and UDP 53
object-group internal-servers >>>>> that mentions a server IP 208.36.7.4
You cannot combine different objects related to protocols.
Tell me what you want to allow a towards where and I can help you with the format.
11-01-2013 09:44 AM
Jumora,
I got that from the 2nd ed asa book samples for acl grouping, I attached some screens from the book, I was following the samples but just changing the ip's to my internal network, basically I'm just trying to get 208.36.7.98(this is on my interet hosts obj group) on the outside to be able to get to 3389, http, smtp to the inside 208.36.7.4 (I put this on my internal servers obj group)
I will need to use acl grouping to save from having a ton of entries. I just need to get the hang of the syntax, on my juniper I used the web interface so it was easy to create the entries, but I wanted to start right with the ASA using cli and get the hang of it.
update: got the access-list to accept the syntax, I needed to add object-group all-services and tcp_udp seperately. I thought you can combine them in one command. It's getting clearer to me now, got the 1st access rule set and working. Thanks for all your help and pointers.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: