Solved: ASA 5550 in Transparent Mode

Brian Green · ‎10-22-2015

Hello,

I have an ASA 5550 running 9.0(2) in transparent mode bridging one VLan - both sides (GigabitEthernet0/0 and 0/3) are on the same /27 subnet, and are tagged with the same VLan ID. On the two sides of the ASA are two separate switches. After the switches the connections go to routers - a 2921 and a 3945.

My issue is traffic crossing the firewall doesn't seem to be going. Both switches have an SVI address created on them, and I can ping them from the rotuer on the same side of the ASA, but when I try to traverse the ASA I don't see anything. I've created an explicit rule to permit traffic from any to any using ip or icmp - no luck.

Would this config work? And if it should - is there a way (without using a third-party tool) to see the traffic that hits the firewall either through the CLI or through ASDM?

Thanks,

Brian

Akshay Rastogi · ‎10-22-2015

Hi Brain,

Have you configured an IP address in that specific BVI which you have created for this vlan?

You need to have IP address assigned in BVI for both management traffic and traffic to pass through the ASA.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/interface_complete_transparent.html#wp1321327

Also check the output of 'show arp' and 'ping inside <ip address of host behind inside interface>' , ping outside <outside facing ip>.

You can take packet captures on ASA to see if packets are passing or dropping :

capture drop type asp-drop all

Please use the link below to understand captures on ASA :

ASDM :

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/asdm64/configuration_guide/asdm_64_config/admin_trouble.html#wp1246107

CLI :

https://supportforums.cisco.com/document/69281/asa-using-packet-capture-troubleshoot-asa-firewall-configuration-and-scenarios

Regards,

Akshay Rastogi

View solution in original post

Akshay Rastogi · ‎10-22-2015