07-11-2017 01:33 AM - edited 03-12-2019 02:40 AM
Hi guys,
it has been a pain and a year long ongoing process to get Cisco to implement (sorta) switched ports into the ASA 5506.
Most of us probably use the 5505 for small branches due to the fact it has a built-in switch.
Now while we were all exited to get our hands on the new 5506 when it finally came out, we also ran into a huge problem. It did not have any switched ports. Jars dropped - worlds crushed.
While it was pretty neat to have routed interfaces, no small branch would ever need that. Instead most are probably using the convenient switch ports on the 5505 - actually, that was a big selling point to not have to buy a separate switch.
So all our dreams crushed and shattered (the following s..storm to Cisco WTH???), all our ASA5505 still have to stay in place or worse (or not) switch to a different vendor. Some of us may have had no choice as they had to be replaced or demanded so by the customer.
I decided to convince my customers to hang in there, making promises that Cisco will release an update so that the new ASA will have switching ports as well. AND we waited and waited and nothing seemed to happen. Cisco forgot all about the little guy, forgot that all the hundreds of branches are essentially connected to the HQ, also running the big guy version of the ASA.
Then once again, we saw the end of the tunnel with the release of v9.7.x, OMG bridge groups ! Something routers had for , I don't know, EVER maybe?
Well anyway, switching on the 5506 seemed so close, will our dreams come true - finally?
Quick, get me a 5506, I have got to do this NOW... and tell everyone that we have switching capacity on the ASA now !!! It works oh my good, I can ping two pc's through two interface connected with a bridge group.
There it is there it is - lets get going and do VPN... oh wait... VPN Handle Error, code crash oh no, I am dead. As I sit here in tears of joy of switching ports, NAT and VPN killed the beat.
Cisco Cisco on the wall, can you not get the code straight for us all.
Well, months have passed , the world moved on, we will remember out hero as he has been lynched by his customers for not delivering switching ports as promised.
But leaving this all behind us, it is now the glory of 9.8 that will get us to where we want to go.
And this is what everyone has been waiting for - switching ports (well sorta not really), vpn and nat without crashes (so far).
And how in the world do I get this darn thing running like a 5505?
While it was pretty straight forward with the 5505, the 5506 seems to be a bumpy curvy road around a mountain top.
But enough of the tales of our demise, here is watcha gotta do...
First, make yourself a bridge group interface:
interface BVI1
nameif inside
security-level 100
ip address 10.4.83.1 255.255.255.0
#(feels good right?)
now add your routed interfaces to the bridge-group...
interface GigabitEthernet1/2
bridge-group 1
nameif inside2
security-level 100
!
interface GigabitEthernet1/3
bridge-group 1
nameif inside3
security-level 100
!
interface GigabitEthernet1/4
bridge-group 1
nameif inside4
security-level 100
and so on...(getting funky)
NOTE1: yes you need a name (and no they can't all be named the same, so I used numbers) and YES they need to be in the same security level
NOTE2: IN CASE you want to or need to change the bridge-group assignment, you have to "no nameif" first, change the BG and do "name if" again.
Additional Note 2.1: Funny thing, while removing the nameif - all your rules referencing to the now gone interface - lol - are gone too
So... copy the missing stuff back from the startup-config and i hope you did not save in between or at least had a copy in notepad.
NOTE3: with the ASDM, it will complain that it can only have 4 interfaces in a bridge group - apparently that is a lie, cause with the shell, it works.
(If you do not use nameif, the interface will simply not come up)
NOTE4: Of course now you have to allow inter interface traffic as well:
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
Whoohoo, I can ping... but not to the outside...yet
No, you can not simply NAT to the BVI (Cisco ?? Really?)
Instead, you have to NAT/PAT ALL of your physical interfaces...
e.g. with "before NAT rules"
nat (inside4,outside) source dynamic any interface dns
nat (inside5,outside) source dynamic any interface dns
or Object NAT rules - however you like it better (at this point I assume you are familiar with how NAT on the ASA works)
ok ok, here...
object network NAT_OUT_DYN_I6
subnet 0.0.0.0 0.0.0.0
nat (inside5,outside) dynamic interface dns
Lazy version that is.
NOTE: You HAVE to use interface names, (ANY,OUTSIDE) does NOT work.
So yes for all "switched" interfaces you need a dynamic pat rule - if you want to get out of the matrix, uhm outside interface I mean.
Same difference, VPN
nat (inside4,outside) source static NETWORK_OBJ_10.4.83.0_24 NETWORK_OBJ_10.4.83.0_24 destination static VPN_TO_HOME VPN_TO_HOME no-proxy-arp route-lookup
nat (inside5,outside) source static NETWORK_OBJ_10.4.83.0_24 NETWORK_OBJ_10.4.83.0_24 destination static VPN_TO_HOME VPN_TO_HOME no-proxy-arp route-lookup
ALL you NAT are belong to us.
Ok, Scotty, just don't forget about the access-list, and you probably guessed - for EACH interface.
So overall, it is a really big hassle to do it since configuration is multiplied by the number of interfaces you have in the bridge-group.
On another note, with the last ASDM I tested this funky bridge-group stuff, half is not working right or doing something the shell does not understand - so watch the output before you send it, chances are it is not correct, especially anything with NAT or NAT-EXEMPT
Also, if you want to access your ASA.... yeah really it is just like that.....
ssh 0.0.0.0 0.0.0.0 inside2
ssh 0.0.0.0 0.0.0.0 inside3
ssh 0.0.0.0 0.0.0.0 inside4
ssh 0.0.0.0 0.0.0.0 inside5
ssh 0.0.0.0 0.0.0.0 inside6
ssh 0.0.0.0 0.0.0.0 inside7
ssh 0.0.0.0 0.0.0.0 inside8
and for telnet and for http...
or use the management interface if you can - unless you use Firepower ...little treacherous firewall...
This should cover the base, getting the 5505 replaced by the 5506.
We switched, we PAT/NAT and we's VPNed.
Should take care of most 5505 setups out there.
Thanks for reading now get out of the basement and plant a tree or do something useful instead of wasting away in front of putty.
Cheers
Markus
p.s. This config was NOT tested with Firepower Services installed so i have no clue how those two will react to each other considering how "abstract" the config looks like. Somehow i have doubts Cisco did some tests with it either....