Solved: ASA 5516X Transparent Configuration Problem with Inside-Outside Traffic

tosino489 · ‎09-21-2016

Hello Everyone,

I have been trying to Setup a New Network for the past few days but i have encountered serious issues with the Interfaces communication. My Software version is Cisco Adaptive Security Appliance Software Version 9.5(2) with Security Device Manager Version 7.5(2)

I have a Cisco 2901 Router with the WAN Interface to the Internet and LAN interface connected to the ASA 5516X Firewall.

My Router LAN IP address is 10.0.1.254 255.255.255.0. The Network Address for the Whole Network is 10.0.1.0 255.255.255.0

The Firewall is configured in Transparent Mode. I have On the Firewall Ports with below interfaces:

Int G1/1: Router Connection (Outside)Security-Level 0

Int G1/2: Switch Connection (Inside) Security-Level 100

Int G1/3: Switch 2 Connection (Inside) Security-Level 100

Int G1/4: DMZ Connection (DMZ) Security-Level 50

BVI1: 10.0.1.252 255.255.255.0

My Problem is that when i connect my Laptop to Int G1/2, I cannot Ping the Router directly from my Laptop but can Ping Router directly from the Firewall. The Router cannot also ping my Laptop but the Firewall can successfully ping the Router. Because of this Problem, I have done an access list for both in and Out for Inside and Outside interfaces to permit all outgoing and incoming but i am still unable to ping either way.

Before i created the Access List on the Firewall, the error i was getting on the ASDM was "No management IP address configured for transparent firewall. Dropping protocol UDP packet from inside:fe80::4ceb:96e5:8c3c:7ba0/49526 to outside:ff02::1:3/5355" Then i also got from the ASDM Log "Deny inbound UDP from 10.0.1.10/57364 (My Laptop's IP) to 239.255.255.250/1900 on Interface Inside"

But after adding a permit any any on both inside and outside for IN and OUt, below is the error that i get on the ASDM but the deny inbound error does not come up again

"No management IP address configured for transparent firewall. Dropping protocol UDP packet from inside:fe80::4ceb:96e5:8c3c:7ba0/65421 to outside:ff02::1:3/5355"

Here is my show config for the Firewall

ASA Version 9.5(2)
!
firewall transparent
hostname Tosin-FW5516
enable password DGzgxFyGzjggxCmZ encrypted
names
!
interface GigabitEthernet1/1
description Outside interface
nameif outside
bridge-group 1
security-level 0
!
interface GigabitEthernet1/2
description L3-Primary interface
nameif inside
bridge-group 1
security-level 100
!
interface GigabitEthernet1/3
description L3-Secondary interface
nameif inside1
bridge-group 1
security-level 100
!
interface GigabitEthernet1/4
description Server Switch interface
nameif DMZ
bridge-group 1
security-level 50
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
!
interface Management1/1
management-only
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
!
interface BVI1
ip address 10.0.1.252 255.255.255.0
!
ftp mode passive
clock timezone GMT 1
dns server-group DefaultDNS
access-list INSIDE-TO-OUTSIDE extended permit ip any any
access-list INSIDE-TO-OUTSIDE extended permit udp any any
access-list INSIDE-TO-OUTSIDE extended permit icmp any any
access-list INSIDE-TO-OUTSIDE extended permit tcp any any
access-list Outside-TO-Inside extended permit ip any any
access-list Outside-TO-Inside extended permit udp any any
access-list Outside-TO-Inside extended permit icmp any any
access-list Outside-TO-Inside extended permit tcp any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu inside1 1500
mtu DMZ 1500
mtu management 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
access-group Outside-TO-Inside in interface outside
access-group Outside-TO-Inside out interface outside
access-group INSIDE-TO-OUTSIDE in interface inside
access-group INSIDE-TO-OUTSIDE out interface inside
access-group INSIDE-TO-OUTSIDE in interface inside1
access-group INSIDE-TO-OUTSIDE out interface inside1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
http server enable
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
no ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
username fgpl password UPMwXdxpzOPfiV.F encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:2f76160cc11273d09f2fc8fabc0003b2

end:

Any suggestions on what is actually wrong would be appreciated

yugant.indulkar · ‎09-23-2016

i guess you need to allow icmp inspection in global policy,

so that it could allow icmp traffic.

View solution in original post

mickyq · ‎09-22-2016

My understanding is transparent mode is basically a bump in the wire. The same subnet exists on both sides and you can only use 2 interfaces.

try this:

conf t
firewall transparent
interface Ethernet 0/0
switchport access vlan 2
no shutdown
interface Ethernet 0/1
switchport access vlan 1
no shutdown
interface vlan 2
nameif outside
bridge-group 1
interface vlan 1
nameif inside
bridge-group 1
interface bvi 1
ip address 10.0.1.252

tosino489 · ‎09-22-2016

Hi Michael,

I appreciate your prompt response. However, the model is ASA 5516X and comes with Gigabit Interface Ports. Vlans are not configurable on the interfaces except i tag the Traffic on the Ports with the Encapsulation dot1Q as the Vlan configuration.

I will try this out with all what you have recommended and get back to you.

Regards,

tosino489 · ‎09-22-2016

Hi Michael,

I could not configure Vlan directly on the interface and when i did configure the Vlan on the sub-interface, the sub-interface did not communicate with each other.

I don't know what else to try.

Thanks

yugant.indulkar · ‎09-23-2016

i guess you need to allow icmp inspection in global policy,

so that it could allow icmp traffic.

yugant.indulkar · ‎09-23-2016

i guess you need to allow icmp inspection in global policy,

so that it could allow icmp traffic.

tosino489 · ‎09-27-2016

Hello Yugant,

Thank you for your response. I appreciate it. You were absolutely correct. I was able to solve the problem after searching out your discussion where i got another user having my problem. The issue was resolved issuing the following command

policy-map global_policy

class inspection_default

inspect icmp

inspect icmp error

here was the website i got it from.

https://supportforums.cisco.com/discussion/11942506/fwsm-icmp-inspection

Thank you all for your assistance. I sincerely appreciate it.

Regards,

Tosin