cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3340
Views
15
Helpful
7
Replies

ASA 5506-X Transparent Mode Help

mano.hernandez
Level 1
Level 1


I have a legacy PC (XP) running legacy software that has to be on the same subnet , however we need to put it behind a firewall.

 

I put the ASA in transparent mode and assigned BVI1 an IP address.

I need ports 4000 966 and 950

 

as well as letting a device 10.xxx.xxx.002 access the PC

What are my next steps?

1 Accepted Solution

Accepted Solutions

No. But you will need a few extra commands to get SSH and ASDM running.

 

For ASDM you have the right config you just need to make sure the "ASDM image" command is pointing to the right ASDM file and setup AAA with a username/password. ex. 

aaa authentication http console LOCAL

 

For SSH you will need to configure:

- Crypto Key 

- AAA with username/password. ex

aaa authentication ssh console LOCAL

- ssh 0.0.0.0 0.0.0.0 outside

 

You can find the complete configuration in this guide:

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa99/configuration/general/asa-99-general-config/admin-management.html#concept_0B1238EFA3BD419FA738E8F85BEAE4FA

 

Please remember to rate useful posts, by clicking on the star below.
-Troy J.

View solution in original post

7 Replies 7

Troy Jackson
Level 1
Level 1

1. Assign BVI1 group to interfaces "bridge-group 1"
2. Add "name-if" to the interfaces
3. Add security levels
4. Add ACL to the interface using "access-group" with the ports needed

Troy

Please remember to rate useful posts, by clicking on the star below.
-Troy J.

interface GigabitEthernet1/1
bridge-group 1
nameif outside
security-level 0
!
interface GigabitEthernet1/2
bridge-group 1
nameif inside
security-level 100

 

 

ACL is next.

hostname(config)# access-list OUTSIDE extended permit ip host 10.13.31.2 host
any
hostname(config)# access-group OUTSIDE in interface outside

hostname(config)# access-list INSIDE permit tcp any host any eq 4001
hostname(config)# access-list INSIDE permit tcp any host any eq 950
hostname(config)# access-list INSIDE permit tcp any host any eq 966

hostname(config)# access-group INSIDE in interface outside

 

 

would that work for having the external IP address access the device behind the firewall 

and the device behind the firewall access t other devices via those ports only?

If by external you mean IP addresses from the OUTSIDE interface then yes. The same goes for the INSIDE interface traffic. You will need to change the config a little. I put the changes below: 

 

hostname(config)# access-list OUTSIDE extended permit ip host 10.13.31.2 any
hostname(config)# access-group OUTSIDE in interface outside

 

hostname(config)# access-list INSIDE permit tcp any any eq 4001
hostname(config)# access-list INSIDE permit tcp any any eq 950
hostname(config)# access-list INSIDE permit tcp any any eq 966
hostname(config)# access-group INSIDE in interface inside

Please remember to rate useful posts, by clicking on the star below.
-Troy J.

Thanks, I got that. 

I'm trying to get the Web GUI or SSH to work from the outside to the ASA

would that be another policy?

http server enable
http 0.0.0.0 0.0.0.0 outside

 

 

No. But you will need a few extra commands to get SSH and ASDM running.

 

For ASDM you have the right config you just need to make sure the "ASDM image" command is pointing to the right ASDM file and setup AAA with a username/password. ex. 

aaa authentication http console LOCAL

 

For SSH you will need to configure:

- Crypto Key 

- AAA with username/password. ex

aaa authentication ssh console LOCAL

- ssh 0.0.0.0 0.0.0.0 outside

 

You can find the complete configuration in this guide:

 

https://www.cisco.com/c/en/us/td/docs/security/asa/asa99/configuration/general/asa-99-general-config/admin-management.html#concept_0B1238EFA3BD419FA738E8F85BEAE4FA

 

Please remember to rate useful posts, by clicking on the star below.
-Troy J.

Thank you for all your help.

Review Cisco Networking for a $25 gift card