Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1658
Views
0
Helpful
5
Replies

ASA configuration passing multiple VLANs

DavidWilliamsMaui
Level 1
Level 1

‎10-18-2019 02:29 AM - edited ‎02-21-2020 09:36 AM

I am spinning up a new config and am running into issues.  My physical config is Catalyst_9300 --> ASA_5516X --> ISR1108p.  I am attempting to run the ASA in transparent mode, inspecting and passing the VLAN traffic between the switch and router.  With the Catalyst connected directly to the ISR i can get through on all VLAN's and to the internet, I am however not able to pass traffic through the ASA.  I have created (5) sub-interfaces for each of my VLAN's on the physical port connecting my router and (5) different sub-interfaces for the VLAN's on my switch, tying all of these together with bridge groups.  In an attempt to make this pass traffic the security level on all interfaces was turned down to 0.  The ASA would not allow the management IP to assign inside of BVI 1 which represents my management VLAN.  Below is my config for reference:

: Hardware: ASA5516, 8192 MB RAM, CPU Atom C2000 series 2416 MHz, 1 CPU (8 cores)
:
ASA Version 9.8(2)
!
firewall transparent
hostname ciscoasa
enable password XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
names

!
interface GigabitEthernet1/1
nameif outside_physical
security-level 0
!
interface GigabitEthernet1/1.1
vlan 1
bridge-group 1
nameif outsideVLAN1
security-level 0
!
interface GigabitEthernet1/1.3
vlan 3
bridge-group 3
nameif outsideVLAN3
security-level 0
!
interface GigabitEthernet1/1.6
vlan 6
bridge-group 6
nameif outsideVLAN6
security-level 0
!
interface GigabitEthernet1/1.9
vlan 9
bridge-group 9
nameif outsideVLAN9
security-level 0
!
interface GigabitEthernet1/1.12
vlan 12
bridge-group 12
nameif outsideVLAN12
security-level 0
!
interface GigabitEthernet1/1.15
vlan 15
bridge-group 15
nameif outsideVLAN15
security-level 0
!
interface GigabitEthernet1/2
nameif Internal
security-level 0
!
interface GigabitEthernet1/2.1
vlan 2
bridge-group 1
nameif inside_VLAN1-2
security-level 0
!
interface GigabitEthernet1/2.3
vlan 4
bridge-group 3
nameif inside_VLAN3-4
security-level 0
!
interface GigabitEthernet1/2.6
vlan 7
bridge-group 6
nameif inside_VLAN6-7
security-level 0
!
interface GigabitEthernet1/2.9
vlan 10
bridge-group 9
nameif inside_VLAN9-10
security-level 0
!
interface GigabitEthernet1/2.12
vlan 13
bridge-group 12
nameif inside_VLAN12-13
security-level 0
!
interface GigabitEthernet1/2.15
vlan 16
bridge-group 15
nameif inside_VLAN15-16
security-level 0
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
!
interface Management1/1
management-only
nameif Management
security-level 100
ip address 192.168.98.10 255.255.255.0
!
interface BVI1
ip address 192.168.99.1 255.255.255.0
!
interface BVI3
ip address 192.168.100.1 255.255.255.0
!
interface BVI6
ip address 192.168.1.1 255.255.255.0
!
interface BVI9
ip address 192.168.2.1 255.255.255.0
!
interface BVI12
ip address 192.168.50.1 255.255.255.0
!
interface BVI15
ip address 192.168.55.1 255.255.255.0
!
ftp mode passive
access-list GLOBAL extended permit ospf any any
access-list GLOBAL extended permit udp any any
access-list GLOBAL extended permit tcp any any
access-list global extended permit icmp any any
pager lines 24
logging console debugging
mtu outside_physical 1500
mtu outsideVLAN1 1500
mtu outsideVLAN3 1500
mtu outsideVLAN6 1500
mtu outsideVLAN9 1500
mtu outsideVLAN12 1500
mtu outsideVLAN15 1500
mtu Internal 1500
mtu inside_VLAN1-2 1500
mtu inside_VLAN3-4 1500
mtu inside_VLAN6-7 1500
mtu inside_VLAN9-10 1500
mtu inside_VLAN12-13 1500
mtu inside_VLAN15-16 1500
mtu Management 1500
no failover
no monitor-interface service-module
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 16384
access-group GLOBAL global
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication login-history
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
policy-map GLOBAL_Policy
class inspection_default
inspect icmp
inspect icmp error
!
service-policy global_policy global
prompt hostname context
Cryptochecksum:XXXXXXXXXXXXXXXX

 end

0 Helpful
5 Replies 5

Marius Gunnerud
VIP
VIP

‎10-19-2019 02:13 PM

Looks like you are missing the following commands:

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Deepak Kumar
VIP Alumni
VIP Alumni

‎10-19-2019 09:39 PM

Hi,

As suggested add two commands:

same-security-traffic permit inter-interface
same-security-traffic permit intra-interface

Regards,
Deepak Kumar,
Don't forget to vote and accept the solution if this comment will help you!
0 Helpful

DavidWilliamsMaui
Level 1
Level 1
In response to Deepak Kumar

‎10-20-2019 01:49 AM

I will implement this and report back how it goes.  Thanks so much for the Replies!

0 Helpful

DavidWilliamsMaui
Level 1
Level 1
In response to Deepak Kumar

‎10-22-2019 12:59 AM

I was able to implement the first command but not the second, was given an error that it was not allowed in in transparent firewall mode.  I did some more digging bumping around in the ACL's.  If I static the PC on the inside of the ASA I can ping the router on the outside.  I am not however able to get the management interface (http) to load or dhcp to pass.

0 Helpful

Marius Gunnerud
VIP
VIP
In response to DavidWilliamsMaui

‎10-25-2019 11:57 AM

I am not sure I understand when you say "If I static the PC", do you mean NAT?

If you are trying to manage the ASA on the MGMT interface from another subnet located on another interface that does not ingress on the management interface then this is not supported.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card