02-15-2019 07:32 AM - edited 02-21-2020 08:49 AM
I'm having an issue with an ASA 5510 in transparent mode, I've configured two BVI interfaces two subnets as per below, but I'm unable to reach the inside subnet from the outside.
Any ideas what might be the issue?
thanks
ASA Version 9.1(7)32 ! firewall transparent ! enable password ########### encrypted xlate per-session deny tcp any4 any4 xlate per-session deny tcp any4 any6 xlate per-session deny tcp any6 any4 xlate per-session deny tcp any6 any6 xlate per-session deny udp any4 any4 eq domain xlate per-session deny udp any4 any6 eq domain xlate per-session deny udp any6 any4 eq domain xlate per-session deny udp any6 any6 eq domain names ! interface Ethernet0/0 nameif outside bridge-group 1 security-level 0 ! interface Ethernet0/1 nameif inside bridge-group 2 security-level 100 ! interface Ethernet0/2 nameif inside2 bridge-group 2 security-level 100 ! interface Ethernet0/3 shutdown no nameif no security-level ! interface Management0/0 management-only shutdown nameif management security-level 100 ip address 192.168.1.1 255.255.255.0 ! interface BVI1 ip address 1xx.14.123.122 255.255.255.252 ! interface BVI2 ip address xx4.45.109.129 255.255.255.248 ! boot system disk0:/asa917-32-k8.bin ftp mode passive object-group network Object1 network-object host xx4.45.109.130 network-object host xx4.45.109.131 ! access-list outside_access_in_1 extended permit ip any object-group Object1 ! pager lines 24 logging enable logging asdm informational mtu outside 1500 mtu inside 1500 mtu management 1500 mtu inside2 1500 no failover icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-781-150.bin no asdm history enable arp timeout 14400 no arp permit-nonconnected access-group outside_access_in_1 in interface outside route outside 0.0.0.0 0.0.0.0 1xx.14.123.121 1 timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL aaa authentication http console LOCAL aaa authentication ssh console LOCAL http server enable http 0.0.0.0 0.0.0.0 outside no snmp-server location no snmp-server contact crypto ipsec security-association pmtu-aging infinite crypto ca trustpool policy telnet timeout 5 ssh stricthostkeycheck ssh 0.0.0.0 0.0.0.0 outside ssh timeout 5 ssh key-exchange group dh-group1-sha1 console timeout 0 dhcpd address 192.168.1.2-192.168.1.254 management dhcpd enable management ! threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options inspect icmp ! service-policy global_policy global prompt hostname context no call-home reporting anonymous call-home profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly subscribe-to-alert-group configuration periodic monthly subscribe-to-alert-group telemetry periodic daily
02-15-2019 09:00 AM
Just look high level you do not have proper interface configured correctly
interface Ethernet0/0 nameif outside bridge-group 1 security-level 0 ! interface Ethernet0/1 nameif inside bridge-group 2 security-level 100 ! interface Ethernet0/2 nameif inside2 bridge-group 2 security-level 100 ! interface Ethernet0/3 shutdown no nameif no security-level
example guide for reference and correct it
02-15-2019 11:59 AM
How are you trying to reach the inside subnet?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide