Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1183
Views
0
Helpful
4
Replies

EIGRP Through Transparent ASA

Go to solution
nick.smethurst1
Level 1
Level 1

‎06-01-2018 03:39 AM - edited ‎02-21-2020 07:50 AM

packet-tracer.PNGHello,

 

Hoping you can help please. I'm having issues with passing traffic through a Cisco ASA 5525-x when in transparent mode.

 

The Transparent mode firewall has been placed in between a layer 3 switch and another ASA running in routed mode, they have an eigrp peering between the two across a port channel.

I have added access lists just as a test with 'ip any any' & 'eigrp any any' just to see if I can get this working but I'm having issues.

 

Looking at the MAC address table on the Transparent it has learned the MAC address correctly.

However when pinging from the switch to the routed firewall I can see from a capture that it ARP's but it fails to learn the mac address of the routed ASA firewall.  Also the EIGRP peering between the two devices has come up but it's not advertising any routes.

 

I gone into ASDM and done a packet tracer test which shows that the packet is allowed but it doesn't show the output interface and the Line and Link have question marks next to them, which looks odd ?

 

Running out of ideas, so any help would be great! Many Thanks.

Nick

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
nick.smethurst1
Level 1
Level 1
In response to Florin Barhala

‎06-06-2018 07:31 AM

Thank you for your suggestions.

 

The issue turned out to be that the BVI interface not having any IP address within the subnet in which it was filtering traffic. As we were using the physical management interface to administer the device, I didn't think this was required. Learn something every day :)

View solution in original post

0 Helpful
4 Replies 4

Go to solution
dperezoquendo
Level 1
Level 1

‎06-01-2018 12:32 PM

Hello,
I don't recall an ASA in transparent mode being able to run the packet-tracer command. Are you sure it's in transparent mode? Refer to the following link for configuring in transparent mode: https://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/intro_fw.html
Typically it should be configured with BVI's and have the "firewall transparent" command applied.
0 Helpful

Go to solution
Dennis Mink
VIP Alumni
VIP Alumni

‎06-02-2018 05:30 AM - edited ‎06-02-2018 05:31 AM

when you do  a packet capture through ASDM, do you see eigrp going out the egress interface?

Please remember to rate useful posts, by clicking on the stars below.

0 Helpful

Go to solution
Florin Barhala
Level 6
Level 6

‎06-05-2018 01:46 AM

Hi Nick,

I never used ASA in transparent still I would run a live capture on both interfaces and check the output - preferably in Wireshark.
Based on your output, I wouldn't think it's related to the Transparent FW in between:
Let's keep things simple:
- L3 switch:
+ show ip arp "ASA_EIGRP_IP"
+ show ip eigrp topology
+ show ip eigrp neigh detailed
+ show run | section router

- ASA
+ show arp | L3_EIGRP_IP
+ show run router
0 Helpful

Go to solution
nick.smethurst1
Level 1
Level 1
In response to Florin Barhala

‎06-06-2018 07:31 AM

Thank you for your suggestions.

 

The issue turned out to be that the BVI interface not having any IP address within the subnet in which it was filtering traffic. As we were using the physical management interface to administer the device, I didn't think this was required. Learn something every day :)

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card