10-24-2011 04:17 AM - edited 03-11-2019 02:41 PM
Hi All,
I've setup my Cisco ASA 5505 in transparent mode. I have a Cisco 1841 connecting to the ISP (DHCP client) and F0/0 for inside. The 1841 is the DHCP server. I have my ASA 5505 behind the 1841 in transparent mode (Vlan 1 for Outside and Vlan 1 for inside).
The router config is good as when you connect a computer straight to the inside interface I get DHCP and can go to internet, no problems what so ever. But When you're trying to go through ASA isn't not working.
I'm pretty sure if I add a ip any any statement to the access list it will work but having an "ip any any" in a access list is like having no firewall at all.
Following is my config. Any help much appriciated. Thank you.
ciscoasa(config)# sh run : Saved : ASA Version 8.2(4) ! firewall transparent hostname ciscoasa enable password zmQ6OnxvsOOEDNAy encrypted passwd zmQ6OnxvsOOEDNAy encrypted names ! interface Ethernet0/0 ! interface Ethernet0/1 switchport access vlan 2 ! interface Ethernet0/2 switchport access vlan 2 ! interface Ethernet0/3 switchport access vlan 2 ! interface Ethernet0/4 switchport access vlan 2 ! interface Ethernet0/5 switchport access vlan 2 ! interface Ethernet0/6 switchport access vlan 2 ! interface Ethernet0/7 switchport access vlan 2 ! interface Vlan1 nameif OUTSIDE security-level 0 ! interface Vlan2 nameif INSIDE security-level 100 ! ftp mode passive object-group service DHCP_PORT tcp-udp port-object eq 67 port-object eq 68 access-list DHCP extended permit udp any any object-group DHCP_PORT pager lines 24 mtu OUTSIDE 1500 mtu INSIDE 1500 ip address 192.168.1.24 255.255.255.0 icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 access-group DHCP in interface OUTSIDE access-group DHCP in interface INSIDE timeout xlate 3:00:00 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 dynamic-access-policy-record DfltAccessPolicy no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart crypto ipsec security-association lifetime seconds 28800 crypto ipsec security-association lifetime kilobytes 4608000 telnet timeout 5 ssh timeout 5 console timeout 0 threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options ! service-policy global_policy global prompt hostname context Cryptochecksum:0e7a1c6c06f302826620b9dc704c59c4 : end
10-26-2011 06:25 AM
Hello,
Just like on a router, the firewall's ACLs have an implied 'deny any any' statement at the end of them. Since you configured an ACL permitting DHCP traffic on both the inside and outside interfaces, this is the only traffic that will be allowed through the firewall. You need to add 'permit' lines for the other traffic that you want to pass through.
Keep in mind that traffic from a high security interface to a low security interface is allowed by default when there is no ACL applied. In addition, the ASA will dynamically allow the return traffic through the ACL so you only need to permit the traffic in the direction it is initiated.
Hope that helps.
-Mike
10-27-2011 10:38 AM
Hi Mike,
"Keep in mind that traffic from a high security interface to a low security interface is allowed by default when there is no ACL applied. In addition, the ASA will dynamically allow the return traffic through the ACL"
If this is the default behavior why it's not working for my "inside" originated traffic (sec level 100 to 0) ? PCs which are behind the FW don't get web traffic which they initiate. I had to put a ip any any on "in Inside" for this to work.
10-27-2011 10:41 AM
The key there is "when there is no ACL applied". Once you apply an ACL, all traffic must be explicitly permitted in order to be allowed. If you had no ACL configured at all, only then would traffic from sec 100 to sec 0 be automatically allowed.
Hope that helps.
-Mike
10-27-2011 10:44 AM
I didn't have any ACL applied before, just plain transparent config. I had to put ip any any to inside interface to get it working.
11-28-2013 11:50 PM
Mike is correct about the ACL taking precedence over the security levels. According to the config you posted in your original post you have the DHCP access-list assigned to the inside interface:
access-group DHCP in interface OUTSIDE
access-group DHCP in interface INSIDE
Either remove the ACL assigned to the INSIDE interface or create a different ACL that will permit the traffic you want.
--
Please remember to rate and select a correct answer
11-28-2013 07:43 PM
Hi,
I thinks that you need the folowing ACL and network object.
Network Object.
object network dhcp-server
host (DHCP server ip)
description dhcp-server
ACL
access-list inside_access_in extended permit ip any any
access-list outside_access_in extended permit udp object dhcp-server any eq bootpc (UDP 68)
The first ACL permit any traffic to any network (inside to outside)
The second ACL permit the network object udp 68 traffic to inside network
I hope that help.
Juan Palacios
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide