5505: setting transparent firewall ip address

Bengt Nilsson · ‎12-23-2011

Trying to set up a asa 5505 in transparent firewall mode.

I cannot set the management ip address:

ciscoasa> enable

Password:

ciscoasa# config term

ciscoasa(config)# firewall transparent

ciscoasa(config)# show firewall

Firewall mode: Transparent

ciscoasa(config)# ip address 129.16.123.124

^

ERROR: % Invalid input detected at '^' marker.

Seems I am out of context:

ciscoasa(config)# ip ?

configure mode commands/options:

audit Configure the Intrusion Detection System

local Define a local pool of IP addresses

How do I get in to the correct state to set the management ip adress?

Yes, I did try to RTFM, but without success.

Actually, I tried to follow a few of the youtube setup demonstrations too, did exactly as prescribed, but got the same ERROR.

Or is it a license issue?

BN

Julio Carvajal · ‎12-23-2011

Hello,

That is all you need to do... It is not a license issue,

Can you provide us the version you are running on your ASA.

Regards,

Julio

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Bengt Nilsson · ‎12-29-2011

Hope this will give some clue:

ciscoasa# show version

Cisco Adaptive Security Appliance Software Version 8.4(2)

Device Manager Version 6.4(5)

Compiled on Wed 15-Jun-11 18:17 by builders

System image file is "disk0:/asa842-k8.bin"

Config file at boot was "startup-config"

ciscoasa up 8 days 23 hours

Hope this will give some clue:

Hardware: ASA5505, 512 MB RAM, CPU Geode 500 MHz

Internal ATA Compact Flash, 128MB

BIOS Flash M50FW016 @ 0xfff00000, 2048KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)

Boot microcode : CN1000-MC-BOOT-2.00

SSL/IKE microcode : CNLite-MC-SSLm-PLUS-2.03

IPSec microcode : CNlite-MC-IPSECm-MAIN-2.06

Number of accelerators: 1

0: Int: Internal-Data0/0 : address is ccef.4819.d7d8, irq 11

1: Ext: Ethernet0/0 : address is ccef.4819.d7d0, irq 255

2: Ext: Ethernet0/1 : address is ccef.4819.d7d1, irq 255

3: Ext: Ethernet0/2 : address is ccef.4819.d7d2, irq 255

4: Ext: Ethernet0/3 : address is ccef.4819.d7d3, irq 255

5: Ext: Ethernet0/4 : address is ccef.4819.d7d4, irq 255

6: Ext: Ethernet0/5 : address is ccef.4819.d7d5, irq 255

7: Ext: Ethernet0/6 : address is ccef.4819.d7d6, irq 255

8: Ext: Ethernet0/7 : address is ccef.4819.d7d7, irq 255

9: Int: Internal-Data0/1 : address is 0000.0003.0002, irq 255

10: Int: Not used : irq 255

11: Int: Not used : irq 255

Licensed features for this platform:

Maximum Physical Interfaces : 8 perpetual

VLANs : 3 DMZ Restricted

Dual ISPs : Disabled perpetual

VLAN Trunk Ports : 0 perpetual

Inside Hosts : 10 perpetual

Failover : Disabled perpetual

VPN-DES : Enabled perpetual

VPN-3DES-AES : Enabled perpetual

AnyConnect Premium Peers : 2 perpetual

AnyConnect Essentials : Disabled perpetual

Other VPN Peers : 10 perpetual

Total VPN Peers : 25 perpetual

Shared License : Disabled perpetual

AnyConnect for Mobile : Disabled perpetual

AnyConnect for Cisco VPN Phone : Disabled perpetual

Advanced Endpoint Assessment : Disabled perpetual

UC Phone Proxy Sessions : 2 perpetual

Total UC Proxy Sessions : 2 perpetual

Botnet Traffic Filter : Disabled perpetual

Intercompany Media Engine : Disabled perpetual

This platform has a Base license.

Serial Number: JMX1543409G

Running Permanent Activation Key: 0x763eff4e 0x04030d52 0xbcf3015c 0xbbd0482c 0x02200b9c

Configuration register is 0x1

Configuration last modified by enable_15 at 12:20:54.723 UTC Fri Dec 23 2011

mirober2 · ‎12-29-2011

Hi Bengt,

In version 8.4(2), the ASA uses the concept of bridge-groups in transparent mode. Therefore, you need to add the interfaces to a bridge-group and then configure the IP address under the BVI. See here for a config example:

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/interface_complete_transparent.html#wp1321042

-Mike

Bengt Nilsson · ‎12-30-2011

Thanks, now I could set the ip address.

However, since it is not working for me (no web access), I must have made some mistakes:

enable

config term

no firewall transparent

config factory-default

firewall transparent

interface bvi 1

ip address 129.16.138.206 255.255.255.0

interface vlan 1

bridge-group 1

nameif inside

security-level 100

interface vlan 2

bridge-group 1

nameif outside

security-level 0

interface e0/0

switchport access vlan 2

no shut

interface e0/1

switchport access vlan 1

no shut

1) Where did I go wrong?

2) Should both inside and outside be a part of bridge-group 1 ?

Would it be possible to get assistance in creating a setup for a simple task such as?

Transparent firewall, inside e0/1, outside e0/1 (the systems inside are connected to a dumb switch, the switch is connected to e0/1)

allow http, ssh, and smb for a specified subnet, plus a few specific ip addresses on other subnets

web admin from inside (or outside, is this advicable?)

Or would I need to pay a contract for this?

BN

mirober2 · ‎12-30-2011

Hi Bengt,

The interface configuration looks correct. To get Internet access for your inside users, the hosts on VLAN 1 should have a default gateway of the router in VLAN 2. All of the IP addresses (VLAN 1 and VLAN 2) should be in the same L3 subnet as the BVI address: 129.16.138.0/24.

You should also check the syslogs when trying to pass traffic to see if it is a firewall problem or a problem somewhere else in the network:

logging enable

logging buffered 7

show log

-Mike

Bengt Nilsson · ‎12-30-2011

I did like this to make it work (from one of the cisco forum examples, that really SHOULD get into the general web instructions on how to set up firewall transparent...)

no firewall transparent

firewall transparent

interface Ethernet 0/0

switchport access vlan 2

no shutdown

interface Ethernet 0/1

switchport access vlan 1

no shutdown

interface Ethernet 0/2

switchport access vlan 1

no shutdown

interface Ethernet 0/3

switchport access vlan 1

no shutdown

interface Ethernet 0/4

switchport access vlan 1

no shutdown

interface Ethernet 0/5

switchport access vlan 1

no shutdown

interface Ethernet 0/6

switchport access vlan 1

no shutdown

interface Ethernet 0/7

switchport access vlan 1

no shutdown

interface bvi 1

ip address 129.16.138.206 255.255.255.0

interface vlan2

nameif outside

security-level 0

bridge-group 1

no shutdown

interface vlan1

nameif inside

security-level 100

bridge-group 1

no shutdown

http server enable

http 129.16.138.0 255.255.255.0 inside

My mistake was to not enabling the http server and specifying the allowed http access.

Since I use transparent mode, no router changes are needed to have internet access from the inside.

For the same reason, I cannot specify any separate ip addresses for VLAN 1 and VLAN 2.

BN

Bengt Nilsson · ‎12-30-2011

Final(?) question:

Will I get any bandwidth performance benifits if I allocate more than one e0 ports to the outside?