cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2692
Views
0
Helpful
2
Replies

asa 5505 transparent mode dosnt pass traffic

Tagir Temirgaliyev
Spotlight
Spotlight

   Hi all,

need help

asa 5505 do not pass traffic as a patch cord, how to make it pass traffic?

ciscoasa# sh ver

Cisco Adaptive Security Appliance Software Version 8.2(5)

Device Manager Version 6.4(5)

Compiled on Fri 20-May-11 16:00 by builders

System image file is "disk0:/asa825-k8.bin"

Config file at boot was "startup-config"

ciscoasa up 55 mins 31 secs

Hardware:   ASA5505, 512 MB RAM, CPU Geode 500 MHz

Internal ATA Compact Flash, 128MB

BIOS Flash Firmware Hub @ 0xffe00000, 1024KB

Encryption hardware device : Cisco ASA-5505 on-board accelerator (revision 0x0)

                             Boot microcode   : CN1000-MC-BOOT-2.00

                             SSL/IKE microcode: CNLite-MC-SSLm-PLUS-2.03

                             IPSec microcode  : CNlite-MC-IPSECm-MAIN-2.05

0: Int: Internal-Data0/0    : address is e4d3.f193.9486, irq 11

1: Ext: Ethernet0/0         : address is e4d3.f193.947e, irq 255

2: Ext: Ethernet0/1         : address is e4d3.f193.947f, irq 255

3: Ext: Ethernet0/2         : address is e4d3.f193.9480, irq 255

4: Ext: Ethernet0/3         : address is e4d3.f193.9481, irq 255

5: Ext: Ethernet0/4         : address is e4d3.f193.9482, irq 255

6: Ext: Ethernet0/5         : address is e4d3.f193.9483, irq 255

7: Ext: Ethernet0/6         : address is e4d3.f193.9484, irq 255

8: Ext: Ethernet0/7         : address is e4d3.f193.9485, irq 255

9: Int: Internal-Data0/1    : address is 0000.0003.0002, irq 255

10: Int: Not used            : irq 255

11: Int: Not used            : irq 255

Licensed features for this platform:

Maximum Physical Interfaces    : 8

VLANs                          : 3, DMZ Restricted

Inside Hosts                   : 10

Failover                       : Disabled

VPN-DES                        : Enabled

VPN-3DES-AES                   : Enabled

SSL VPN Peers                  : 2

Total VPN Peers                : 10

Dual ISPs                      : Disabled

VLAN Trunk Ports               : 0

Shared License                 : Disabled

AnyConnect for Mobile          : Disabled

AnyConnect for Cisco VPN Phone : Disabled

AnyConnect Essentials          : Disabled

Advanced Endpoint Assessment   : Disabled

UC Phone Proxy Sessions        : 2

Total UC Proxy Sessions        : 2

Botnet Traffic Filter          : Disabled

This platform has a Base license.

Configuration register is 0x1

Configuration last modified by enable_15 at 20:34:47.689 UTC Wed Dec 5 2012

ciscoasa#

ciscoasa#

ciscoasa# sh run

: Saved

:

ASA Version 8.2(5)

!

firewall transparent

hostname ciscoasa

enable password 8eeGnt0NEFObbH6U encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

!

interface Ethernet0/2

shutdown

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

shutdown

!

interface Vlan1

nameif inside

security-level 100

!

interface Vlan2

nameif outside

security-level 0

!

ftp mode passive

access-list outs_in extended permit ip any any

access-list outs_in extended permit icmp any any

pager lines 24

mtu inside 1500

mtu outside 1500

no ip address

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

access-group outs_in in interface inside

access-group outs_in in interface outside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:234e9b9c6c9c941a89e37011325b6d5e

: end

ciscoasa#

ciscoasa#

ciscoasa#

ciscoasa# sh access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)

            alert-interval 300

access-list outs_in; 2 elements; name hash: 0xd6c65ba5

access-list outs_in line 1 extended permit ip any any (hitcnt=0) 0x7d210842

access-list outs_in line 2 extended permit icmp any any (hitcnt=0) 0x5532fcc5

ciscoasa#

1 Accepted Solution

Accepted Solutions

Hello,

Exactly... Good to know it is working now.

Do you know why it needs the IP address ( as a transparent firewall)???

The ASA will act as a layer 2 device right, transparent to the network but what happens when the ASA does not know about a particular destination mac-address.. What would be the source ip address of that packet??? The ASA's Ip address. So that is the main reason why we need that.

We also use it for managment traffic to the box and for AAA services ( if authentication is used the ASA will send the AAA authentication request to the server) with this source IP address.

Please mark the question as answered, so future users can learn from this

Julio Carvajal

Costa Rica

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

2 Replies 2

Tagir Temirgaliyev
Spotlight
Spotlight

solved

ciscoasa(config)# ip address 192.168.175.1 255.255.255.0

without ip address configured it dosnt work

    now it works

ciscoasa# sh access-list

access-list cached ACL log flows: total 0, denied 0 (deny-flow-max 4096)

            alert-interval 300

access-list outs_in; 2 elements; name hash: 0xd6c65ba5

access-list outs_in line 1 extended permit ip any any (hitcnt=16) 0x7d210842

access-list outs_in line 2 extended permit icmp any any (hitcnt=0) 0x5532fcc5

access-list ins_in; 1 elements; name hash: 0xd9482c1b

access-list ins_in line 1 extended permit ip any any (hitcnt=37) 0xc1d2e7b7

Hello,

Exactly... Good to know it is working now.

Do you know why it needs the IP address ( as a transparent firewall)???

The ASA will act as a layer 2 device right, transparent to the network but what happens when the ASA does not know about a particular destination mac-address.. What would be the source ip address of that packet??? The ASA's Ip address. So that is the main reason why we need that.

We also use it for managment traffic to the box and for AAA services ( if authentication is used the ASA will send the AAA authentication request to the server) with this source IP address.

Please mark the question as answered, so future users can learn from this

Julio Carvajal

Costa Rica

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Review Cisco Networking for a $25 gift card