Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2242
Views
10
Helpful
7
Replies

ASA 5516 Transparent Mode - BVI IP Needed?

Go to solution
brian28
Level 1
Level 1

‎01-22-2019 12:50 PM - edited ‎02-21-2020 08:41 AM

Hello all,

I'm replacing a Juniper SRX650 firewall with a ASA-5516.  The Juniper is configured for transparent mode, very simply sitting between my inside network and our service provider.  No other connections besides the management interface. 

 

I understand that I need to build a BVI group and place both the outside and inside interfaces in this group.  Here's my (potential) issue.....this network is a /30 network.  My inside router has one IP, the outside router the other.  I have no space left to enter a BVI IP in the firewall.  The Juniper doesn't require one, so it's never been an issue. 

 

These IPs and the network was given to us by our service provider, and would be difficult if not impossible to get them to change/expand/etc.  Can I just create the BVI and leave the IP address blank, or will this cause the firewall not to pass the traffic?

 

If leaving it blank is not an option, is there anything else I could do?

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎01-22-2019 09:20 PM

Yes it won't work and ASA will drop traffic and generate syslog message as
below, as example.

'%ASA-6-322004: No management IP address configured for transparent
firewall. Dropping protocol ICMP packet from IN:10.150.1.1/2048 to OUT:
10.150.1.2/0'

**** Please remember to rate useful posts

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Sheraz.Salim
VIP
VIP

‎01-22-2019 01:33 PM

This is a tricky situation. per my knowledge you need a BVI address you cant leave it alone. unless some respected member advise on this.

please do not forget to rate.
0 Helpful

Go to solution
Mohammed al Baqari
Level 11
Level 11

‎01-22-2019 09:20 PM

Yes it won't work and ASA will drop traffic and generate syslog message as
below, as example.

'%ASA-6-322004: No management IP address configured for transparent
firewall. Dropping protocol ICMP packet from IN:10.150.1.1/2048 to OUT:
10.150.1.2/0'

**** Please remember to rate useful posts
0 Helpful

Go to solution
brian28
Level 1
Level 1

‎01-23-2019 09:49 AM

Thanks for the replies guys.  In lab testing (simulating the routers on each end) I've confirmed that without the BVI ID, the traffic does indeed get dropped.  But if I change the network to a /29 on both devices and add a BVI ID within that subnet, traffic does pass through.

 

Does anyone know any other way to get around this or to configure this without having my service provider expand this subnet?  That may not be possible.  

0 Helpful

Go to solution
Sheraz.Salim
VIP
VIP
In response to brian28

‎01-23-2019 11:32 AM - edited ‎01-23-2019 01:09 PM

/29 give you 8 host -2 host one for subnet ip and other for broadcast leave you 6 ip addresses to use.

 

I dont think you have anyother way to do this. just curious why you put the firewall between two public ip addresses?

your design is like this 

----router-----Transparent-firewall------ISP

can you not do this way.

 

Transparent-FW-------Router-----------ISP

put firewall behind router. might if you have a private addresses you can barrow one easily?

please do not forget to rate.
0 Helpful

Go to solution
brian28
Level 1
Level 1
In response to Sheraz.Salim

‎01-23-2019 01:47 PM

Actually, there is no router on the inside, just a layer 3 port on a switch.  I didn't clarify that originally, my apologies...

 

Anyways, I was actually able to get the service provider to expand the network to a /29, so we are all set!  Didn't think it'd be that easy, I'm pleasantly surprised.   Thanks again for all of the replies.

0 Helpful

Go to solution
Sheraz.Salim
VIP
VIP
In response to brian28

‎01-23-2019 02:47 PM

 just for your information for knowledge.
 
1. if mgmt interface (no configured/not exist/note in use) than use BVI interface ip address for mgmt purpose in this case the route will be
                    route inside 0.0.0.0 0.0.0.0 next-hop-router-address
 
 
2. if using mgmt interface the default gw is the router that resides toward the management interface.
 
                route mgmt 0 0 next-hop-router-address
3. In case of management interface is configured and so the BVI interface also configured. as example: then the managment interface will be use for mgmt purpose.
  
 
firewall transparent
!
interface man0/0
  nameif management
  security-level 100
  ip address 10.122.109.101 255.255.255.0
  no shut
!
route management 0.0.0.0 0.0.0.0 10.122.109.1
http server enable
http 10.122.109.0 255.255.255.0 management
!
interface gig0/0
  nameif inside
  bridge-group 1
!
interface gig0/1
  nameif outside
  bridge-group 1
!
interface BVI1
 ip address 10.10.1.10 255.255.255.0
!
 
 
please do not forget to rate. if it was helpful as this will help other too.
please do not forget to rate.

Go to solution
brian28
Level 1
Level 1
In response to Sheraz.Salim

‎01-24-2019 06:30 AM

Yes sir, that's exactly how I have it configured.  Thanks for the information and confirmation that I have it configured correctly!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card