Wow. I'm SO glad I didn't

Jason Vanlandingham · ‎03-03-2017

I'm trying to deal with the awful 5506-X firewall (and 5506H version). We brought them up to code version 9.7.1 and I tested with multiple devices; was able to reach the gateway (interface BVI1) from any device plugged in to a port in the bridge group. Unfortunately, I forgot to test getting from the bridge group to the outside. I tried putting one in production and it didn't work. I got a message stating "unable to locate egress interface" while pinging, and no traffic at all would get from the outside interface to the inside. The firewall itself couldn't even ping a device on a port in the bridge group. I wasn't able to test FROM the device, as it is an industrial control device and has no user interface.

Here's some of the config used:

interface bvi1
 description SCADA
 nameif SCADA
 security-level 0
 ip address 10.xxx.5.1 255.255.255.0
 no shut
!
interface GigabitEthernet1/1
 description TO CORE SWITCH
 nameif BUSINESS
 security-level 100
 ip address 10.xxx.2.245 255.255.255.248
 no shut
!
interface GigabitEthernet1/2
 description SCADA
 no nameif
 security-level 0
 bridge-group 1
 no shut
!
route BUSINESS 0.0.0.0 0.0.0.0 10.xxx.2.241
!

(^Switch is a L3 3560CG with an SVI addressed as 10.xxx.2.241 255.255.255.248 and ip route 10.xxx.5.0 255.255.255.0 10.xxx.2.245, EIGRP running with redistribute static)

access-list BUSINESS_IN extended permit ip any any log
access-list BUSINESS_IN extended permit icmp any any log
access-list SCADA_IN extended permit ip any any log
access-list SCADA_IN extended permit icmp any any log
access-group BUSINESS_IN in interface BUSINESS
access-group SCADA_IN in interface SCADA

----------------------------------------------------------------------------

This is a testing period before implementing rules, so we're just allowing everything for now.

When I remove the bridge group setup and just put the config from BVI1 on Gig1/2 instead, everything works fine when a single node or a switch is plugged in to Gig1/2.

I have 10+ small sites that need this config on the 5506 and am under major pressure to get them going like yesterday. Any suggestions?

Jason Vanlandingham · ‎03-10-2017

I got it figured out, and it is a mess. Each port has to have a nameif, but you can't put a port in the bridge group if it has a nameif, so you have to...

no nameif
bridge-group 1
nameif BLAH

AND THEN you have to repeat your access groups for EVERY port, AND THEN allow same zone traffic...

INT G1/2
 DESC SCADA_1
 BRIDGE-GROUP 1
 NAMEIF SCADA_1
 security-level 0
 NO SHUT
!
INT G1/3
 DESC SCADA_2
 BRIDGE-GROUP 1
 NAMEIF SCADA_2
 security-level 0
 NO SHUT
!
INT G1/4
 DESC SCADA_3
 BRIDGE-GROUP 1
 NAMEIF SCADA_3
 security-level 0
 NO SHUT
!
access-group SCADA_IN in interface SCADA
access-group SCADA_IN in interface SCADA_1
access-group SCADA_IN in interface SCADA_2
access-group SCADA_IN in interface SCADA_3
!
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

jxplon08870 · ‎06-09-2017

Hi Jason - did you get your NAT to work with the multiple interfaces and use PAT to outside interface?

Michael Braun · ‎07-11-2017

https://supportforums.cisco.com/discussion/13330246/asa-5505-5506-replacement-using-5506-bridged-switched-ports-and-vpn-98x

Jason Vanlandingham · ‎07-25-2017

Wow. I'm SO glad I didn't have to do any of that stuff...no VPN, no NAT/PAT, no DHCP for devices behind the firewall, ssh/https to the non-bridged interface only. I actually left that project before 9.8 came out...that's life in contracting.

Jason Vanlandingham · ‎07-25-2017

Been a while since I came back here. Fast paced so I really moved on after working this out. I actually didn't need to do any NAT/PAT. This was entirely on a private network...microwave links shooting 30 miles out in to the middle of nowhere, etc.

5506-X bridge-group no comm to outside