04-08-2019 01:09 AM - edited 04-08-2019 01:24 AM
Hi,
If I configure the ASA5506 with a bridge-group on the ingress interface, I need to apply an permit access-list on the egress interface to forward traffic.
If I use the same configuration, but without a bridge-group on the ingress interface, the traffic will be redirected without permitting an access-list on the egress interface.
Security-level on ingress interface 100, on BVI interface 100, on egress interface 0.
Please explain me why.
Sorry if my English is bad.
Solved! Go to Solution.
04-09-2019 05:25 AM
BVI (Bridge Virtual Interface) is required to configure bridge groups in a firewall transparently.
Each bridge group requires a management IP address. ASA uses this IP address as the source address for packets originating from the bridge group. The management IP address must be on the same subnet as the connected network. For IPv4 traffic, the management IP address is required to transmit any traffic.
Example :
ciscoasa (config) # interface bvI 1
Specify the management IP address for the bridge group.
ciscoasa (config-if) # endereço ip xxxx 255.255.255.0 espera xxxy
Source : https://www.techtutsonline.com/interface-configuration-in-cisco-asa-transparent-mode/
The ASA uses a level of security associated with each interface. It is a number between 0 and 100 that defines the reliability of the network to which the interface is connected; the higher the number, the more confidence you have in the network. For example, the most secure network, such as the internal LAN, must have a security level of 100. The external network connected to an untrusted network (such as the Internet) must be level 0. The interface connected to the DMZ must have the security level set to something between 1 and 99 (usually 50).
Security levels are used to define how traffic started from one interface can return from another interface. By default, top-level security interfaces can initiate traffic to a lower level
level 100 for the internal network
level 50 for the DMZ network
level 0 for the external network
By default, ASA will stop any initial traffic that is trying to move from lower security levels to higher levels of security. This means that, for example, a server on the external network can not start a conversion with the server in our DMZ network or with the host on the internal network. The server in the DMZ can initialize traffic out (from top to bottom, 50 to 0), but can not initialize a conversation indoors (from low to high, 50 trying to go to 100). The inside host can initiate traffic to the DMZ server and the Internet. When the server on the outside responds back to the internal host, the ASA will dynamically allow the return traffic.
Best Regards
Josiane
Twitter: SecureGirllNinja
04-09-2019 05:25 AM
BVI (Bridge Virtual Interface) is required to configure bridge groups in a firewall transparently.
Each bridge group requires a management IP address. ASA uses this IP address as the source address for packets originating from the bridge group. The management IP address must be on the same subnet as the connected network. For IPv4 traffic, the management IP address is required to transmit any traffic.
Example :
ciscoasa (config) # interface bvI 1
Specify the management IP address for the bridge group.
ciscoasa (config-if) # endereço ip xxxx 255.255.255.0 espera xxxy
Source : https://www.techtutsonline.com/interface-configuration-in-cisco-asa-transparent-mode/
The ASA uses a level of security associated with each interface. It is a number between 0 and 100 that defines the reliability of the network to which the interface is connected; the higher the number, the more confidence you have in the network. For example, the most secure network, such as the internal LAN, must have a security level of 100. The external network connected to an untrusted network (such as the Internet) must be level 0. The interface connected to the DMZ must have the security level set to something between 1 and 99 (usually 50).
Security levels are used to define how traffic started from one interface can return from another interface. By default, top-level security interfaces can initiate traffic to a lower level
level 100 for the internal network
level 50 for the DMZ network
level 0 for the external network
By default, ASA will stop any initial traffic that is trying to move from lower security levels to higher levels of security. This means that, for example, a server on the external network can not start a conversion with the server in our DMZ network or with the host on the internal network. The server in the DMZ can initialize traffic out (from top to bottom, 50 to 0), but can not initialize a conversation indoors (from low to high, 50 trying to go to 100). The inside host can initiate traffic to the DMZ server and the Internet. When the server on the outside responds back to the internal host, the ASA will dynamically allow the return traffic.
Best Regards
Josiane
Twitter: SecureGirllNinja
04-09-2019 07:57 AM
Thanks you for your reply. Without using bridge-group on ingress interface, it works correctly (traffic sent to ingress interface with high security level may exit the output interface with lower security level, and response from the remote host will be returned to the sender). But if bridge-group is used on the ingress interface, then to obtain a response from remote host, you need to apply permit access-list on the output interface.
04-09-2019 09:29 AM
Watching the Show run.
Is the output similar to the configuration below?
!
interface GigabitEthernet1/2
bridge-group 1
nameif inside_1
security-level 100
!
interface GigabitEthernet1/3
bridge-group 1
nameif inside_2
security-level 100
!
interface GigabitEthernet1/4
bridge-group 1
nameif inside_3
security-level 100
!
interface GigabitEthernet1/5
bridge-group 1
nameif inside_4
security-level 100
!
interface GigabitEthernet1/6
bridge-group 1
nameif inside_5
security-level 100
!
interface GigabitEthernet1/7
bridge-group 1
nameif inside_6
security-level 100
!
interface GigabitEthernet1/8
bridge-group 1
nameif inside_7
security-level 100
!
interface BVI1
nameif inside
security-level 100
ip address 192.168.1.1 255.255.255.0
!
same-security-traffic permit inter-interface
!
object network obj_any1
subnet 0.0.0.0 0.0.0.0
object network obj_any2
subnet 0.0.0.0 0.0.0.0
object network obj_any3
subnet 0.0.0.0 0.0.0.0
object network obj_any4
subnet 0.0.0.0 0.0.0.0
object network obj_any5
subnet 0.0.0.0 0.0.0.0
object network obj_any6
subnet 0.0.0.0 0.0.0.0
object network obj_any7
subnet 0.0.0.0 0.0.0.0
!
mtu outside 1500
mtu inside_1 1500
mtu inside_2 1500
mtu inside_3 1500
mtu inside_4 1500
mtu inside_5 1500
mtu inside_6 1500
mtu inside_7 1500
!
object network obj_any1
nat (inside_1,outside) dynamic interface
object network obj_any2
nat (inside_2,outside) dynamic interface
object network obj_any3
nat (inside_3,outside) dynamic interface
object network obj_any4
nat (inside_4,outside) dynamic interface
object network obj_any5
nat (inside_5,outside) dynamic interface
object network obj_any6
nat (inside_6,outside) dynamic interface
object network obj_any7
nat (inside_7,outside) dynamic interface
!
http 192.168.1.0 255.255.255.0 inside_1
http 192.168.1.0 255.255.255.0 inside_2
http 192.168.1.0 255.255.255.0 inside_3
http 192.168.1.0 255.255.255.0 inside_4
http 192.168.1.0 255.255.255.0 inside_5
http 192.168.1.0 255.255.255.0 inside_6
http 192.168.1.0 255.255.255.0 inside_7
!
Questions:
1- Do you need to make several changes to the firewall?
If the answer is yes, the setting will become complex.
2- Will this firewall be applied to a small business client?
If so, it would be feasible to use this type of configuration.
Josiane de Barros
Twitter:SecureGirlNinja
04-10-2019 03:13 AM
Thanks for your help
I checked the configuration again and I was find an error. I test the connection with ping, ASA block icmp reply, but connections work correctly. To fix this i will add:
policy-map global_policy class inspection_default inspect icmp
full config with bridge interface is:
ASA Version 9.8(2) ! interface GigabitEthernet1/1 no shutdown nameif outside security-level 0 ip address xx.xxx.xxx.xx 255.255.255.240 ! interface GigabitEthernet1/2 no shutdown bridge-group 1 nameif inside_1 security-level 100 ! interface BVI1 nameif inside security-level 100 ip address 192.168.1.1 255.255.255.0 ! same-security-traffic permit inter-interface object network obj_any1 subnet 192.168.1.0 255.255.255.0 ! object network obj_any1 nat (inside_1,outside) dynamic interface ! route outside 0.0.0.0 0.0.0.0 xx.xxx.xxx.xx 1 ! dhcpd dns 8.8.8.8 ! dhcpd address 192.168.1.5-192.168.1.254 inside dhcpd enable inside ! policy-map global_policy class inspection_default inspect icmp
full config without bridge interface:
ASA Version 9.8(2) ! interface GigabitEthernet1/1 no shutdown nameif outside security-level 0 ip address xx.xxx.xxx.xx 255.255.255.240 ! interface GigabitEthernet1/2 no shutdown nameif inside_1 security-level 100 ip address 192.168.1.1 255.255.255.0 ! same-security-traffic permit inter-interface object network obj_any1 subnet 192.168.1.0 255.255.255.0 ! object network obj_any1 nat (inside_1,outside) dynamic interface ! route outside 0.0.0.0 0.0.0.0 xx.xxx.xxx.xx 1 ! dhcpd dns 8.8.8.8 ! dhcpd address 192.168.1.5-192.168.1.254 inside_1 dhcpd enable inside_1 ! policy-map global_policy class inspection_default inspect icmp
both configurations work correct, problem solved.
04-10-2019 10:29 AM
If you feel like contributing, it is like a vote of helpful help, so that we can continue to help whenever possible.
Good job
Thanks,
Josiane
Twitter:SecureGirlNinja
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide