03-25-2015 07:41 AM - edited 03-11-2019 10:41 PM
Hi there ,
i places ASA5545 is os 9.1 in two switches in transparent mode however it seems some problem in my configuration.
<inside switch1>----------------------------ASA---------------------------<outside switch2>
172.16. 10.10 172.16.10.9 172.16.10.1
Action i have done
i configured bridge-group and places inside and outside in group
access list permit inside any any
access list permit outside any any
icmp permit any Outsideicmp permit any Inside
route outside 0.0.0.0 0.0.0.0 172.16.10.1
Access-group is assigned accordingly.
Problem description
1. I can ping from ASA to both end
2. I cannot ping from 10.10 to 10.1.
3. i cannot ping from 10.1 to 10.10
4. inside network cannot access anything outside, inside is not accessible from outside either.
I checked ARP table and it appeared it not updated in time. Am I missing something, thank you.
03-25-2015 08:02 AM
Do you have routes between the routers routing for those 10 networks?
03-25-2015 08:08 AM
no, there is not
03-25-2015 08:16 AM
Hi. How is the traffic routed between the 10.1 and 10.10 ?
Apologies....... I just realized that by 10.10 and 10.1 you meant the 2 switches
Do you see anything in the logs? Packet tracer?
03-25-2015 08:18 AM
Can you post your config?
03-25-2015 11:55 AM
I noticed you have mac learning disabled? Why is that?
03-25-2015 08:33 AM
yes, the 2 switches
The configuration is as follows
============
Result of the command: "show run"
: Saved
:
ASA Version 9.1(2)
!
firewall transparent
hostname ciscoasa
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface GigabitEthernet0/0
nameif outside
bridge-group 1
security-level 0
interface GigabitEthernet0/1
nameif inside
security-level 100
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
interface GigabitEthernet0/3
interface GigabitEthernet0/4
interface GigabitEthernet0/5
interface GigabitEthernet0/6
interface GigabitEthernet0/7
interface Management0/0
management-only
nameif mgt
ip address 10.105.2.10 255.255.255.0
interface BVI1
ip address 172.16.10.9 255.255.255.0
ftp mode passive
clock timezone CST 8
same-security-traffic permit inter-interface
object-group service DM_INLINE_SERVICE_1
service-object tcp-udp destination eq 3389
service-object tcp destination eq 90
object-group service DM_INLINE_TCPUDP_1 tcp-udp
port-object range 81 83
port-object range 90 92
object-group service DM_INLINE_TCPUDP_2 tcp-udp
port-object eq 8099
port-object eq 8631
object-group protocol TCPUDP
protocol-object udp
protocol-object tcp
object-group network DM_INLINE_NETWORK_1
network-object host 172.16.32.133
network-object host 172.16.32.134
object-group network DM_INLINE_NETWORK_2
network-object host 172.16.54.12
network-object host 172.16.54.13
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
object-group service DM_INLINE_SERVICE_2
service-object tcp-udp destination eq 1755
service-object tcp destination eq ftp-data
service-object tcp destination eq rtsp
service-object udp destination eq 2640
service-object udp destination range 5004 5005
object-group service DM_INLINE_TCP_1 tcp
port-object eq 1015
port-object eq 8081
port-object eq 81
object-group service DM_INLINE_TCP_2 tcp
port-object eq 1601
port-object eq 1701
object-group service DM_INLINE_TCP_3 tcp
port-object eq 8443
port-object eq https
object-group service DM_INLINE_TCP_4 tcp
port-object eq 6991
port-object eq 8118
port-object eq 9991
object-group service DM_INLINE_TCP_5 tcp
port-object eq 8008
port-object eq 8891
port-object eq 8991
port-object eq pop3
port-object eq smtp
port-object eq sqlnet
access-list inside extended permit ip any any
access-list inside extended permit icmp any any
access-list inside extended permit ospf any any
access-list outside extended permit tcp any any eq www
access-list outside extended permit icmp any any
access-list outside extended permit tcp any any eq 8080
access-list outside extended permit tcp any any eq https
access-list outside extended permit tcp any any eq telnet
access-list outside extended permit tcp any any eq ftp
access-list outside extended permit esp any any
access-list outside extended permit udp any any eq isakmp
access-list outside extended permit object-group DM_INLINE_SERVICE_1 any host 172.16.54.156
access-list outside extended permit object-group TCPUDP any host 172.16.54.89 object-group DM_INLINE_TCPUDP_1
access-list outside extended permit object-group TCPUDP any host 172.16.54.58 eq 88
access-list outside extended permit object-group TCPUDP any host 172.16.54.55 object-group DM_INLINE_TCPUDP_2
access-list outside extended permit object-group TCPUDP any host 172.16.54.52 eq 90
access-list outside extended permit object-group TCPUDP any host 172.16.54.49 eq 81
access-list outside extended permit object-group TCPUDP any host 172.16.54.46 eq 8267
access-list outside extended permit tcp any host 172.16.54.45
access-list outside extended permit tcp any host 172.16.54.41 eq 81
access-list outside extended permit tcp any host 172.16.54.39 object-group DM_INLINE_TCP_1
access-list outside extended permit tcp any host 172.16.54.38 eq 9000
access-list outside extended permit tcp any host 172.16.54.37 eq 81
access-list outside extended permit tcp any host 172.16.54.34 eq 8000
access-list outside extended permit tcp any host 172.16.54.31 eq 8001
access-list outside extended permit tcp any host 172.16.54.32 eq 8001
access-list outside extended permit object-group DM_INLINE_SERVICE_2 any host 172.16.54.30
access-list outside extended permit tcp any host 172.16.54.29 eq 8088
access-list outside extended permit tcp any host 172.16.54.28 object-group DM_INLINE_TCP_2
access-list outside extended permit tcp any host 172.16.54.21 object-group DM_INLINE_TCP_3
access-list outside extended permit tcp any host 172.16.54.14 eq 3210
access-list outside extended permit tcp any host 172.16.54.13 object-group DM_INLINE_TCP_4
access-list outside extended permit object-group TCPUDP host 172.16.32.151 host 172.16.54.13 eq 1521
access-list outside extended permit tcp any host 172.16.54.12 object-group DM_INLINE_TCP_5
access-list outside extended permit object-group DM_INLINE_PROTOCOL_1 object-group DM_INLINE_NETWORK_1 object-group DM_INLINE_NETWORK_2
access-list outside extended permit ospf any any
access-list outside extended permit udp any any
pager lines 24
logging enable
logging asdm informational
mtu outside 1500
mtu inside 1500
mtu mgt 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any inside
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
access-group outside in interface outside
access-group inside in interface inside
access-group inside global
route outside 0.0.0.0 0.0.0.0 172.16.10.1 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 0.0.0.0 0.0.0.0 mgt
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet 0.0.0.0 0.0.0.0 mgt
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 mgt
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
tls-proxy maximum-session 1000
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
mac-learn outside disable
mac-learn inside disable
arp-inspection outside enable no-flood
arp-inspection inside enable no-flood
class-map inspection_default
match default-inspection-traffic
class-map notimeout
description sqlnet no timeout
match port tcp eq sqlnet
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
description SQLnotimeout
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
class notimeout
set connection timeout embryonic 0:00:00 half-closed 0:00:00 idle 0:00:00
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:342a3341204597270a7e4e32b87d341c
: end
03-26-2015 01:05 AM
hi,
try to configure routing for your 'inside' local subnets?
route inside 172.16.32.0 <SM> <GW>
route inside 172.16.54.0 <SM> <GW>
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
Log in to Community
