10-01-2013 10:43 AM - edited 03-11-2019 07:45 PM
I am looking to replace a FortiGate firewall which is currently working in transparent mode handling mutiple subnets with ASA 5515. Currently, I am testing transparent mode configuration on ASA 5505, and it will not forward any traffic that is not in the same subnet as IP address assigned to BV interface.
For example, the following configuration works.
10.0.0.3/24 (computer) ---> 10.0.0.2/24 (firewall) ---> 10.0.0.1/24 (computer)
However, the following does not work
10.0.0.3/24 (computer) ---> 10.10.0.2/24 (firewall) ---> 10.0.0.1/24 (computer)
I thought that transparent mode is just a bump in the wire, so why does the IP address/subnet assigned to BV interface affects the traffic? Is the ASA capable of handling other/multiple subnets in transparent mode other than the subnet assigned to BV interface?
By the way, I used to run PIX 515E 7.2(2) transparent mode filtering multiple subnets. The current ASA 5505 is on 9.0(1). Is it the limitation on the ASA 5505 model but not on the more powerful ASA model?
Thank you
Solved! Go to Solution.
10-10-2013 12:09 PM
Hello Thomas,
Glad to know that I could help with the answer to your questions,
Please mark it as answered so future users can learn from this.
For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com
Any question contact me at jcarvaja@laguiadelnetworking.com
Cheers,
Julio Carvajal Segura
10-02-2013 12:52 AM
try multiple context
10-02-2013 10:12 AM
Thank you @ttemirgaliyev, I tried but multiple context is not supported by ASA 5505.
I have an example of PIX configuration in transparent mode filtering multiple subnets. I was using this configuration in production environment in the past. I am wondering if ASA 5510 or higher can handle this setup.
: Saved
: Written by enable_15 at 10:57:25.766 UTC Wed Jul 16 xxxx
!
PIX Version 7.2(2)
!
firewall transparent
hostname pixfirewall
enable password xxxxxxxxxx encrypted
names
!
interface Ethernet0
nameif outside
security-level 0
!
interface Ethernet0.1
vlan 1
no nameif
no security-level
!
interface Ethernet1
nameif inside
security-level 100
!
interface Ethernet1.1
no vlan
no nameif
no security-level
!
passwd xxxxxxxxxx encrypted
ftp mode passive
access-list outside extended permit udp any host 10.0.0.210
access-list outside extended permit udp any host 10.0.0.3
access-list outside extended permit tcp any host 10.0.0.110 eq smtp
access-list outside extended permit tcp any host 10.0.0.110 eq www
access-list outside extended permit tcp any host 10.0.0.57 eq smtp
access-list outside extended permit tcp any host 10.0.0.57 eq www
access-list outside extended permit tcp any host 10.0.0.75 eq www
access-list outside extended permit tcp any host 10.0.0.75 eq ftp
access-list outside extended permit tcp any host 10.0.0.75 eq 5003
access-list outside extended permit tcp any host 10.0.0.75 eq 403
access-list outside extended permit tcp any host 10.0.0.75 eq 407
access-list outside extended permit tcp any host 10.0.0.76 eq ftp
access-list outside extended permit tcp any host 10.0.0.2 eq pcanywhere-data
access-list outside extended permit udp any host 10.0.0.2 eq pcanywhere-status
access-list outside extended permit tcp any host 10.0.10.61
access-list outside extended permit tcp any host 10.0.10.62
access-list outside extended permit tcp any host 10.0.10.63
access-list outside extended permit tcp any host 10.0.10.64
access-list outside extended permit tcp any host 10.0.13.225 eq ftp
access-list outside extended permit tcp host 192.168.4.30 host 10.0.17.254 eq telnet
access-list outside extended permit tcp any host 10.0.13.225 eq telnet
access-list outside extended permit tcp any host 10.0.10.61 eq 50
access-list outside extended permit udp any host 10.0.10.61 eq isakmp
access-list outside extended permit tcp any host 10.0.10.62 eq 50
access-list outside extended permit udp any host 10.0.10.62 eq isakmp
access-list outside extended permit tcp any host 10.0.10.63 eq 50
access-list outside extended permit udp any host 10.0.10.63 eq isakmp
access-list outside extended permit tcp any host 10.0.10.64 eq 50
access-list outside extended permit udp any host 10.0.10.64 eq isakmp
access-list outside extended permit tcp any host 10.0.0.219
access-list outside extended permit udp any host 10.0.0.219
access-list outside extended permit udp any host 10.0.10.61
access-list outside extended permit udp any host 10.0.10.62
access-list outside extended permit udp any host 10.0.10.63
access-list outside extended permit udp any host 10.0.10.64
access-list outside extended permit icmp any host 10.0.10.29
access-list outside extended permit tcp any host 10.0.10.29 eq ftp
access-list outside extended permit tcp any gt 1023 host 10.0.10.29 eq ftp-data
access-list outside extended permit tcp any host 10.0.0.110 eq pop3
access-list outside extended permit tcp any host 10.0.0.57 eq pop3
access-list outside extended permit tcp any host 10.0.10.27 eq pcanywhere-data
access-list outside extended permit udp any host 10.0.10.27 eq pcanywhere-status
access-list outside extended permit tcp any host 10.0.10.31 eq pcanywhere-data
access-list outside extended permit udp any host 10.0.10.31 eq pcanywhere-status
access-list outside extended permit tcp any host 10.0.0.222 eq pcanywhere-data
access-list outside extended permit udp any host 10.0.0.222 eq pcanywhere-status
access-list outside extended permit icmp any host 10.0.10.28
access-list outside extended permit tcp any host 10.0.10.28 eq pptp
access-list outside extended permit gre any host 10.0.10.28
access-list outside extended permit ip any host 10.0.10.28
access-list outside extended permit ip any host 10.0.10.29
access-list outside extended permit tcp any host 10.0.10.25 eq 8234
access-list outside extended permit tcp any host 10.0.17.217 eq 8234
access-list outside extended permit tcp any host 10.0.17.217 eq 8235
access-list outside extended permit tcp any host 10.0.17.217 eq www
access-list outside extended permit ip any host 10.0.10.36
access-list outside extended permit ip any host 10.0.10.37
access-list outside extended permit ip any host 10.0.10.38
access-list outside extended permit ip any host 10.0.10.39
access-list outside extended permit ip any host 10.0.10.40
access-list outside extended permit ip any host 10.0.10.41
access-list outside extended permit tcp any host 10.0.0.235 eq www
access-list outside extended permit tcp any host 10.0.10.2 eq www
access-list outside extended permit tcp any host 10.0.10.2 eq 3389
access-list outside extended permit tcp host 192.168.1.234 host 10.0.0.211 eq 4899
access-list outside extended permit tcp any host 10.0.0.211 eq www
access-list outside extended permit tcp any host 10.0.10.35 eq www
access-list outside extended permit tcp any host 10.0.10.36 eq www
access-list outside extended permit tcp any host 10.0.10.37 eq www
access-list outside extended permit tcp any host 10.0.10.38 eq www
access-list outside extended permit tcp any host 10.0.10.39 eq www
access-list outside extended permit tcp any host 10.0.10.40 eq www
access-list outside extended permit tcp any host 10.0.10.41 eq www
access-list outside extended permit tcp any host 10.0.0.110 eq https
access-list outside extended permit tcp any host 10.0.0.57 eq https
access-list outside extended permit tcp any host 10.0.0.75 eq https
access-list outside extended permit tcp any host 10.0.17.217 eq https
access-list outside extended permit tcp any host 10.0.0.234 eq 220
access-list outside extended permit tcp any host 10.0.0.235 eq https
access-list outside extended permit tcp any host 10.0.10.2 eq https
access-list outside extended permit tcp any host 10.0.0.211 eq https
access-list outside extended permit tcp any host 10.0.10.35 eq https
access-list outside extended permit tcp any host 10.0.10.36 eq https
access-list outside extended permit tcp any host 10.0.10.37 eq https
access-list outside extended permit tcp any host 10.0.10.38 eq https
access-list outside extended permit tcp any host 10.0.10.39 eq https
access-list outside extended permit tcp any host 10.0.10.40 eq https
access-list outside extended permit tcp any host 10.0.10.41 eq https
access-list outside extended permit tcp any host 10.0.10.35 eq 8234
access-list outside extended permit tcp any host 10.0.10.36 eq 8234
access-list outside extended permit tcp any host 10.0.10.37 eq 8234
access-list outside extended permit tcp any host 10.0.10.38 eq 8234
access-list outside extended permit tcp any host 10.0.10.39 eq 8234
access-list outside extended permit tcp any host 10.0.10.40 eq 8234
access-list outside extended permit tcp any host 10.0.10.41 eq 8234
access-list outside extended permit tcp any host 10.0.10.35 eq 8235
access-list outside extended permit tcp any host 10.0.10.36 eq 8235
access-list outside extended permit tcp any host 10.0.10.37 eq 8235
access-list outside extended permit tcp any host 10.0.10.38 eq 8235
access-list outside extended permit tcp any host 10.0.10.39 eq 8235
access-list outside extended permit tcp any host 10.0.10.40 eq 8235
access-list outside extended permit tcp any host 10.0.10.41 eq 8235
access-list outside extended permit udp any host 10.0.0.222
access-list outside extended permit gre any any
access-list outside extended permit ip host 10.0.10.28 any
access-list outside extended permit ip host 10.0.0.211 any
access-list outside extended permit ip host 10.0.10.35 any
access-list outside extended permit ip host 10.0.10.36 any
access-list outside extended permit ip host 10.0.10.37 any
access-list outside extended permit ip host 10.0.10.38 any
access-list outside extended permit ip host 10.0.10.39 any
access-list outside extended permit ip host 10.0.10.40 any
access-list outside extended permit ip host 10.0.10.41 any
access-list outside extended permit ip host 10.0.0.222 any
access-list outside extended permit ip host 10.0.0.234 any
access-list outside extended permit icmp host 10.0.0.234 any
access-list outside extended permit tcp any host 10.0.0.235 eq 3389
access-list outside extended permit ip host 10.0.0.254 any
access-list outside extended permit tcp any host 10.0.0.2 eq 3389
access-list outside extended permit tcp any host 10.0.13.240 eq 5900
access-list outside extended permit udp any host 10.0.13.240 eq 5900
access-list outside extended permit tcp any host 10.0.13.240 eq 3283
access-list outside extended permit udp any host 10.0.13.240 eq 3283
access-list outside extended permit tcp any host 10.0.13.240 eq ssh
access-list outside extended permit tcp any host 10.0.10.12 eq www
access-list outside extended permit tcp any host 10.0.0.212 eq www
pager lines 24
mtu outside 1500
mtu inside 1500
ip address 10.0.0.230 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group outside in interface outside
route outside 0.0.0.0 0.0.0.0 10.0.0.254 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 0:05:00 absolute
snmp-server host inside 10.0.0.234 community xxxx
no snmp-server location
no snmp-server contact
snmp-server community xxxx
snmp-server enable traps snmp authentication linkup linkdown coldstart
snmp-server enable traps syslog
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 60
console timeout 0
!
!
prompt hostname context
Cryptochecksum:c887f562a196123a335c5ebeba0ad482
: end
10-02-2013 10:34 AM
Hello Thomas,
I thought that transparent mode is just a bump in the wire, so why does the IP address/subnet assigned to BV interface affects the traffic? Is the ASA capable of handling other/multiple subnets in transparent mode other than the subnet assigned to BV interface?
That's one of the transparent firewall limitations.
Also no need to run Multiple-context for this, You can now use more than one BVI and that will fix the problem.
For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com
Any question contact me at jcarvaja@laguiadelnetworking.com
Cheers,
Julio Carvajal Segura
10-02-2013 12:07 PM
Hi Julio,
Thank you for your reply, I continue to test this in many different ways but getting same result.
10.0.0.3 (computer) -(inside interface)-> 10.0.0.10 (firewall) -(outside interface)-> 10.0.0.2 (computer) = success
10.0.0.3 (computer) -(inside interface)-> 10.10.0.10 (firewall) -(outside interface)-> 10.0.0.2 (computer) = fail
Below is the log message I receive when I change BVI ip address to 10.10.0.10.
%ASA-2-106006: Deny inbound UDP from 10.0.0.2/50871 to 239.255.255.250/1900 on interface outside
%ASA-2-106006: Deny inbound UDP from 10.0.0.2/50871 to 239.255.255.250/1900 on interface outside
%ASA-2-106006: Deny inbound UDP from 10.0.0.2/50871 to 239.255.255.250/1900 on interface outside
%ASA-2-106006: Deny inbound UDP from 10.0.0.2/50871 to 239.255.255.250/1900 on interface outside
%ASA-2-106006: Deny inbound UDP from 10.0.0.2/138 to 10.0.0.255/138 on interface outside
%ASA-2-106006: Deny inbound UDP from 10.0.0.2/50871 to 239.255.255.250/1900 on interface outside
%ASA-2-106006: Deny inbound UDP from 10.0.0.2/50871 to 239.255.255.250/1900 on interface outside
%ASA-2-106006: Deny inbound UDP from 10.0.0.2/50871 to 239.255.255.250/1900 on interface outside
%ASA-2-106006: Deny inbound UDP from 10.0.0.2/50871 to 239.255.255.250/1900 on interface outside
I looked up 106006 and below is the definition.
"Error Message %PIX|ASA-2-106006: Deny inbound UDP from outside_address/outside_port
to inside_address/inside_port on interface interface_name.
Explanation This is a connection-related message. This message is displayed if an inbound UDP packet is denied by the security policy that is defined for the specified traffic type.
Recommended Action None required."
I tried assigning more than one IP address to one BV interface, but it didn't take it. Is there command "ip address x.x.x.x x.x.x.x secondary" like on the router for BV interface?
Thank you again, this has been the main obstacle for me in Fortigate-to-ASA migration project.
10-02-2013 12:17 PM
Hello Thomas,
My pleasure to help,
Did you check my latest post?
I mean the thing is that for the ASA on transparent mode the IP address must belong to the same subnet where is being set on.
So in this case you could use to BVIs :
One with an IP on the 10.10.10.x subnet the 10.10.10x subnet
And other with the IP address of 10.0.0.x but to connect the 10.0.0.x
Let me know if you still have any questions.
For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com
Any question contact me at jcarvaja@laguiadelnetworking.com
Cheers,
Julio Carvajal Segura
10-02-2013 01:05 PM
Hi Julio,
Thanks again for your help, I will give it a try next week. I have to leave town soon. I will post my progress once I am back.
Thomas
10-02-2013 01:29 PM
Hello Thomas,
My pleasure to help,
For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com
Any question contact me at jcarvaja@laguiadelnetworking.com
Cheers,
Julio Carvajal Segura
10-03-2013 12:22 AM
try this
10.0.0.3/24 (computer) ---> 10.10.0.2/8 (firewall) ---> 10.0.0.1/24 (computer)
10-10-2013 10:38 AM
Thank you all, after spending a bit of time researching, I believe that ASA cannot be the direct replacement of the current Fortigate firewall we have due to its limitation.
"Bridge group traffic is isolated from other bridge groups; traffic is not routed to another bridge group within the ASA, and traffic must exit the ASA before it is routed by an external router back to another bridge group in the ASA."
"Note The ASA does not support traffic on secondary networks; only traffic on the same network as the management IP address is supported."
Thomas
10-10-2013 12:09 PM
Hello Thomas,
Glad to know that I could help with the answer to your questions,
Please mark it as answered so future users can learn from this.
For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com
Any question contact me at jcarvaja@laguiadelnetworking.com
Cheers,
Julio Carvajal Segura
10-10-2013 12:11 PM
Thank you Julio
10-24-2022 01:07 PM
Hello
Try placing the command in the system "arp permit-nonconnected"
Regards,
01-13-2014 06:19 AM
In ASA transparent mode, Why it is necessary to keep management ip in the same subnet to that of connected network?
what if I keep management ip in diffrent subnet than that of connected network?
If I do so does the traffic move through the asa and why?
thanxs.
01-13-2014 09:43 AM
Hello Vijay,
As you say you can use another one, That's correct but the thing is that the management IP is not only used for management purporses.
That's were you are missing the point.
That IP address assigned to the ASA as a whole will also be used for ARP requests when the ASA does not know where the destination hosts lies and it's not on the same subnet than the ASA.
It will also be used as a source for packets going to a syslog server, AAA server, Netflow server, SNMP server and any packet that the ASA will need to create so with that in mind the routing of the network will need to be changed to work with this.
If you get to accomplish that the routing of the network works with a different Management IP address on the transparent address then you can do it. I can ensure you I have seen this scenario before working with no issues at all bud.
Just to remember rate all of the helpful posts like this one
Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: