12-23-2011 11:44 AM - edited 03-11-2019 03:06 PM
Trying to set up a asa 5505 in transparent firewall mode.
I cannot set the management ip address:
ciscoasa> enable
Password:
ciscoasa# config term
ciscoasa(config)# firewall transparent
ciscoasa(config)# show firewall
Firewall mode: Transparent
ciscoasa(config)# ip address 129.16.123.124
^
ERROR: % Invalid input detected at '^' marker.
Seems I am out of context:
ciscoasa(config)# ip ?
configure mode commands/options:
audit Configure the Intrusion Detection System
local Define a local pool of IP addresses
How do I get in to the correct state to set the management ip adress?
Yes, I did try to RTFM, but without success.
Actually, I tried to follow a few of the youtube setup demonstrations too, did exactly as prescribed, but got the same ERROR.
Or is it a license issue?
BN
12-23-2011 10:52 PM
Hello,
That is all you need to do... It is not a license issue,
Can you provide us the version you are running on your ASA.
Regards,
Julio
12-29-2011 01:55 AM
Hope this will give some clue:
ciscoasa# show version
Cisco Adaptive Security Appliance Software Version 8.4(2)
Device Manager Version 6.4(5)
Compiled on Wed 15-Jun-11 18:17 by builders
System image file is "disk0:/asa842-k8.bin"
Config file at boot was "startup-config"
ciscoasa up 8 days 23 hours
Hope this will give some clue:
Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz
Internal ATA Compact Flash, 128MB
BIOS Flash M50FW016 @ 0xfff00000, 2048KB
Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)
Boot microcode : CN1000-MC-BOOT-2.00
SSL/IKE microcode : CNLite-MC-SSLm-PLUS-2.03
IPSec microcode : CNlite-MC-IPSECm-MAIN-2.06
Number of accelerators: 1
0: Int: Internal-Data0/0 : address is ccef.4819.d7d8, irq 11
1: Ext: Ethernet0/0 : address is ccef.4819.d7d0, irq 255
2: Ext: Ethernet0/1 : address is ccef.4819.d7d1, irq 255
3: Ext: Ethernet0/2 : address is ccef.4819.d7d2, irq 255
4: Ext: Ethernet0/3 : address is ccef.4819.d7d3, irq 255
5: Ext: Ethernet0/4 : address is ccef.4819.d7d4, irq 255
6: Ext: Ethernet0/5 : address is ccef.4819.d7d5, irq 255
7: Ext: Ethernet0/6 : address is ccef.4819.d7d6, irq 255
8: Ext: Ethernet0/7 : address is ccef.4819.d7d7, irq 255
9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255
10: Int: Not used : irq 255
11: Int: Not used : irq 255
Licensed features for this platform:
Maximum Physical Interfaces : 8 perpetual
VLANs : 3 DMZ Restricted
Dual ISPs : Disabled perpetual
VLAN Trunk Ports : 0 perpetual
Inside Hosts : 10 perpetual
Failover : Disabled perpetual
VPN-DES : Enabled perpetual
VPN-3DES-AES : Enabled perpetual
AnyConnect Premium Peers : 2 perpetual
AnyConnect Essentials : Disabled perpetual
Other VPN Peers : 10 perpetual
Total VPN Peers : 25 perpetual
Shared License : Disabled perpetual
AnyConnect for Mobile : Disabled perpetual
AnyConnect for Cisco VPN Phone : Disabled perpetual
Advanced Endpoint Assessment : Disabled perpetual
UC Phone Proxy Sessions : 2 perpetual
Total UC Proxy Sessions : 2 perpetual
Botnet Traffic Filter : Disabled perpetual
Intercompany Media Engine : Disabled perpetual
This platform has a Base license.
Serial Number: JMX1543409G
Running Permanent Activation Key: 0x763eff4e 0x04030d52 0xbcf3015c 0xbbd0482c 0x02200b9c
Configuration register is 0x1
Configuration last modified by enable_15 at 12:20:54.723 UTC Fri Dec 23 2011
12-29-2011 05:23 AM
Hi Bengt,
In version 8.4(2), the ASA uses the concept of bridge-groups in transparent mode. Therefore, you need to add the interfaces to a bridge-group and then configure the IP address under the BVI. See here for a config example:
-Mike
12-30-2011 01:57 AM
Thanks, now I could set the ip address.
However, since it is not working for me (no web access), I must have made some mistakes:
enable
config term
no firewall transparent
config factory-default
firewall transparent
interface bvi 1
ip address 129.16.138.206 255.255.255.0
interface vlan 1
bridge-group 1
nameif inside
security-level 100
interface vlan 2
bridge-group 1
nameif outside
security-level 0
interface e0/0
switchport access vlan 2
no shut
interface e0/1
switchport access vlan 1
no shut
1) Where did I go wrong?
2) Should both inside and outside be a part of bridge-group 1 ?
Would it be possible to get assistance in creating a setup for a simple task such as?
Transparent firewall, inside e0/1, outside e0/1 (the systems inside are connected to a dumb switch, the switch is connected to e0/1)
allow http, ssh, and smb for a specified subnet, plus a few specific ip addresses on other subnets
web admin from inside (or outside, is this advicable?)
Or would I need to pay a contract for this?
BN
12-30-2011 04:59 AM
Hi Bengt,
The interface configuration looks correct. To get Internet access for your inside users, the hosts on VLAN 1 should have a default gateway of the router in VLAN 2. All of the IP addresses (VLAN 1 and VLAN 2) should be in the same L3 subnet as the BVI address: 129.16.138.0/24.
You should also check the syslogs when trying to pass traffic to see if it is a firewall problem or a problem somewhere else in the network:
logging enable
logging buffered 7
show log
-Mike
12-30-2011 05:49 AM
I did like this to make it work (from one of the cisco forum examples, that really SHOULD get into the general web instructions on how to set up firewall transparent...)
no firewall transparent
firewall transparent
interface Ethernet 0/0
switchport access vlan 2
no shutdown
interface Ethernet 0/1
switchport access vlan 1
no shutdown
interface Ethernet 0/2
switchport access vlan 1
no shutdown
interface Ethernet 0/3
switchport access vlan 1
no shutdown
interface Ethernet 0/4
switchport access vlan 1
no shutdown
interface Ethernet 0/5
switchport access vlan 1
no shutdown
interface Ethernet 0/6
switchport access vlan 1
no shutdown
interface Ethernet 0/7
switchport access vlan 1
no shutdown
interface bvi 1
ip address 129.16.138.206 255.255.255.0
interface vlan2
nameif outside
security-level 0
bridge-group 1
no shutdown
interface vlan1
nameif inside
security-level 100
bridge-group 1
no shutdown
http server enable
http 129.16.138.0 255.255.255.0 inside
My mistake was to not enabling the http server and specifying the allowed http access.
Since I use transparent mode, no router changes are needed to have internet access from the inside.
For the same reason, I cannot specify any separate ip addresses for VLAN 1 and VLAN 2.
BN
12-30-2011 05:54 AM
Final(?) question:
Will I get any bandwidth performance benifits if I allocate more than one e0 ports to the outside?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: