ASA in transparent mode traffic

malithperera · ‎10-24-2011

Hi All,

I've setup my Cisco ASA 5505 in transparent mode. I have a Cisco 1841 connecting to the ISP (DHCP client) and F0/0 for inside. The 1841 is the DHCP server. I have my ASA 5505 behind the 1841 in transparent mode (Vlan 1 for Outside and Vlan 1 for inside).

The router config is good as when you connect a computer straight to the inside interface I get DHCP and can go to internet, no problems what so ever. But When you're trying to go through ASA isn't not working.

I'm pretty sure if I add a ip any any statement to the access list it will work but having an "ip any any" in a access list is like having no firewall at all.

Following is my config. Any help much appriciated. Thank you.

ciscoasa(config)# sh run
: Saved
:
ASA Version 8.2(4) 
!
firewall transparent
hostname ciscoasa
enable password zmQ6OnxvsOOEDNAy encrypted
passwd zmQ6OnxvsOOEDNAy encrypted
names
!
interface Ethernet0/0
!
interface Ethernet0/1
 switchport access vlan 2
!
interface Ethernet0/2
 switchport access vlan 2
!
interface Ethernet0/3
 switchport access vlan 2
!
interface Ethernet0/4
 switchport access vlan 2
!
interface Ethernet0/5
 switchport access vlan 2
!
interface Ethernet0/6
 switchport access vlan 2
!
interface Ethernet0/7
 switchport access vlan 2
!
interface Vlan1
 nameif OUTSIDE
 security-level 0
!
interface Vlan2
 nameif INSIDE
 security-level 100
!
ftp mode passive
object-group service DHCP_PORT tcp-udp
 port-object eq 67
 port-object eq 68
access-list DHCP extended permit udp any any object-group DHCP_PORT 
pager lines 24
mtu OUTSIDE 1500
mtu INSIDE 1500
ip address 192.168.1.24 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group DHCP in interface OUTSIDE
access-group DHCP in interface INSIDE
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
 match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
 parameters
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
!
service-policy global_policy global
prompt hostname context 
Cryptochecksum:0e7a1c6c06f302826620b9dc704c59c4
: end

mirober2 · ‎10-26-2011

Hello,

Just like on a router, the firewall's ACLs have an implied 'deny any any' statement at the end of them. Since you configured an ACL permitting DHCP traffic on both the inside and outside interfaces, this is the only traffic that will be allowed through the firewall. You need to add 'permit' lines for the other traffic that you want to pass through.

Keep in mind that traffic from a high security interface to a low security interface is allowed by default when there is no ACL applied. In addition, the ASA will dynamically allow the return traffic through the ACL so you only need to permit the traffic in the direction it is initiated.

Hope that helps.

-Mike

malithperera · ‎10-27-2011

Hi Mike,

"Keep in mind that traffic from a high security interface to a low security interface is allowed by default when there is no ACL applied. In addition, the ASA will dynamically allow the return traffic through the ACL"

If this is the default behavior why it's not working for my "inside" originated traffic (sec level 100 to 0) ? PCs which are behind the FW don't get web traffic which they initiate. I had to put a ip any any on "in Inside" for this to work.

mirober2 · ‎10-27-2011

The key there is "when there is no ACL applied". Once you apply an ACL, all traffic must be explicitly permitted in order to be allowed. If you had no ACL configured at all, only then would traffic from sec 100 to sec 0 be automatically allowed.

Hope that helps.

-Mike

malithperera · ‎10-27-2011

I didn't have any ACL applied before, just plain transparent config. I had to put ip any any to inside interface to get it working.

Marius Gunnerud · ‎11-28-2013

Mike is correct about the ACL taking precedence over the security levels. According to the config you posted in your original post you have the DHCP access-list assigned to the inside interface:

access-group DHCP in interface OUTSIDE

access-group DHCP in interface INSIDE

Either remove the ACL assigned to the INSIDE interface or create a different ACL that will permit the traffic you want.

--

Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

jotapalacios · ‎11-28-2013

Hi,

I thinks that you need the folowing ACL and network object.

Network Object.

object network dhcp-server

host (DHCP server ip)

description dhcp-server

ACL

access-list inside_access_in extended permit ip any any

access-list outside_access_in extended permit udp object dhcp-server any eq bootpc (UDP 68)

The first ACL permit any traffic to any network (inside to outside)

The second ACL permit the network object udp 68 traffic to inside network

I hope that help.

Juan Palacios