Hi,

i ran into a problem when trying to install an ASA Security Appliance with AIP-SSM in transparent firewall mode.

Please see the both attachments network-with-asa.pdf and network-without-asa.pdf which will introduce you to the network.

The first picture you should have a look to is network-without-asa.pdf. In this case everythings work fine. All devices are able to connect to the network 10.19.64.x (right router) and to the internet (left router).

Now i plugged in the ASA in transparent firewall mode to sniffer all traffic to the internet (network-with-asa.pdf). I don't understand what now happens:

All devices can connect to the internet, all Ping messages to 10.19.64.x are O.K., but neither TCP nor UDP connections can be established. There is a permit ip any any access-list statement in ASA and the ASA has an IP address in the network 10.119.x.x.

I thought ASA in transparent firewall mode is just like a "stealth device".

BTW: ASA is connected to the correct VLAN on the Layer-3-Switch ;-)

Please see also this configuration of ASA:

ASA Version 7.2(1)

!

firewall transparent

hostname ciscoasa

domain-name xxx.de

enable password xxx

names

!

interface Ethernet0/0

nameif inside

security-level 100

!

interface Ethernet0/1

nameif outside

security-level 0

!

interface Ethernet0/2

shutdown

no nameif

no security-level

!

interface Management0/0

nameif management

security-level 100

ip address 10.19.10.1 255.255.248.0

management-only

!

passwd xxx

ftp mode passive

dns server-group DefaultDNS

domain-name xxx.de

access-list 100 extended permit ip any any

access-list 100 extended permit icmp any any

access-list 101 extended permit ip any any

pager lines 24

logging console debugging

logging asdm informational

logging host management 10.19.10.3

mtu inside 1500

mtu outside 1500

mtu management 1500

ip address 10.119.128.10 255.255.255.0

icmp permit any inside

icmp permit any outside

icmp permit any management

asdm image disk0:/asdm521.bin

no asdm history enable

arp timeout 14400

access-group 100 in interface inside

access-group 100 in interface outside

route management 10.19.8.0 255.255.248.0

route management 0.0.0.0 0.0.0.0 10.119.128.250 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

http server enable

http 10.19.0.0 255.255.0.0 inside

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

telnet timeout 5

ssh 10.19.0.0 255.255.0.0 management

ssh timeout 5

console timeout 0

!

class-map inspection_default

match default-inspection-traffic

class-map ips

match access-list 101

!

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

class ips

ips promiscuous fail-open

!

service-policy global_policy global

prompt hostname context

Cryptochecksum:xxx

: end

ciscoasa#

Can someone tell me what is happening here???

Thanks in advance!!

Regards

Bernd