cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

577
Views
0
Helpful
3
Replies
Highlighted
Beginner

ASA transparent mode allows all traffic

Hello, everyone!

I'd like to know how I can allow any traffick to pass through ASA on transparent mode. My idea was to use the same security level on inside and outside interfaces. What do you think about it? What problems can I face?

Thank you!

P.S.

 ASA5585-SSP-60, Cisco Adaptive Security Appliance Software Version 9.1(5)21.

3 REPLIES 3
Highlighted
Enthusiast

Is this in a production Scenario? Is your plan to apply ploicies on the traffic eventually?

You can acieve this by adding Access rules to the traffic while still maintaining the Security levels where you want it for INSIDE and OUTSIDE traffic.

You could do it with same security levels but you might run into some issues with traffic being inspected or not inspected through the firewall. So certain traffic may not be allowed dynamically. You  have to configure "allow same security traffic through the firewall. This adds complexity to your config which may be difficult to undo when you decide to control traffic through your Firewall.

Highlighted

I don't actually need ASA services in general, but I need only a possibility of ASA to filter hhtp-headers and url filtration. But anyway,

Is it OK?

interface GigabitEthernet0/0
nameif inside
bridge-group 1
security-level 100
!
interface GigabitEthernet0/1
nameif outside
bridge-group 1
security-level 0

!

access-list ALLOW-ANY ethertype permit any

access-list ALLOW-ANY-IP extended permit ip any any

!

access-group ALLOW-ANY out interface inside
access-group ALLOW-ANY-IP out interface inside

!
access-group ALLOW-ANY in interface outside
access-group ALLOW-ANY-IP in interface outside

!

I need a piece of advice.

Thank you in advance.

Highlighted

That should work. You don't need the entries in the direction out on both interfaces. Is there any ethertype traffic you want to allow? Like cdp or other layer 2 protocols. If not then you don't need the ethertype acl.

Content for Community-Ad