Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1470
Views
0
Helpful
7
Replies

ASA5505 transparent mode not working

crutchfieldjames
Level 1
Level 1

‎02-20-2013 05:34 PM - edited ‎03-11-2019 06:03 PM

I have a cisco ASA5505 configured in transparent mode. This evening we attempted to plug a couple of new servers in but they simply didnt work, despite our test server working absolutely fine. The server IP's are all in a network object group (the same as the test server) and they're all using the same ACLs etc. I'm relatively new to configuring cisco equipment and was wondering if anyone had any pointers as to what might be going wrong?

the only thing I can think of is a static route I had to add to get the managemet IP to work might be causing problems.

route outside 0.0.0.0 0.0.0.0 XX.XXX.132.1 1

(IP addresses obfuscated- servers are all in the same range so assume XX.XXX is the same across all IP's).

I've attached the config- any help would be greatly appreciated.

Thanks,

James

Labels:
2726838-running-config.cfg.zip
0 Helpful
7 Replies 7

rgruber
Level 1
Level 1

‎02-20-2013 06:15 PM

James, can you provide a network diagram?  Was this an exsisting setup or new ASA deployment?  How are you wanting the servers to communicate?

In addition, here are some links that may help until I know a little more what your trying to do.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008089f467.shtml

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/mode_fw.pdf

      

Basic config after 8.4

interface Ethernet0/0

switchport access vlan 10

!

interface Ethernet0/1

switchport access vlan 20

!

interface Vlan10

nameif outside

bridge-group 1

security-level 0

!

interface Vlan20

nameif inside

bridge-group 1

security-level 100

!

interface BVI1

ip address 10.10.10.10 255.255.255.0

!

route outside 0.0.0.0 0.0.0.0 10.10.10.1

route inside 192.168.1.0 255.255.255.0 10.10.10.254

!

http 0.0.0.0 0.0.0.0 inside

0 Helpful

crutchfieldjames
Level 1
Level 1
In response to rgruber

‎02-21-2013 01:22 AM

Hi,

Thanks for the reply. The ASA is a new deployment- I've just plugged it into a switch in the DC. The default gateway is the same IP i specified in the static route- xx.xxx.132.1. Without this static route the management IP will not work, although the firewall does. I would happily remove it if I could get management to work without it.

The uplink is plugged into the outside network, and the servers into the inside network. Our test server (on the same subnet as the management IP if that helps) works fine, but all the others in the protected servers object group do not.

The servers arent doing anythng fancy, they just need to be able to be accessed from the internet using their public IP's, no NAT or PAT. My understanding was that transparent mode would allow us to do this.

It must be something silly i'm missing, surely?

Thanks,

James

0 Helpful

crutchfieldjames
Level 1
Level 1
In response to crutchfieldjames

‎02-21-2013 01:55 AM

It's worth noting that the servers we're trying to plug into the ASA (apart from our test server) have a different default gateway set in their network interfaces file than the xx.xxx.132.1 address. Would I need to set these servers to use the 132.1 gateway? They all have gateways/subnet masks/ips in a different range because they have been moved from other locations in the DC where they were not hardware-firewalled.

0 Helpful

rgruber
Level 1
Level 1
In response to crutchfieldjames

‎02-21-2013 06:42 AM

As far as the gateway question, you only need a gateway to access the Internet.  So, if you need to access the Internet, then you will need one for each computer.  The gateway, of course, needs to be on a gateway/router device.  You can still communicate locally with each server by just putting in a local IP on the subnet and the same subnet mask.  I hope I'm helping.  If you have one, I could really use a network diagram to help map everything out. I don't need any ip addresses or other sensitive info, but it helps me to see it in front instead of guessing in my head.  Let me know about your current asa config and if you need something other than what I provided earlier.

0 Helpful

rgruber
Level 1
Level 1
In response to crutchfieldjames

‎02-21-2013 06:26 AM

James,

When in transparant mode the firewall isn't doing NAT and your interface is usually local with a local gateway in front of it.  To work better you need NAT mode so you can have access to the outside world, however, I may not know the whole story.  Do you have a NAT device in front of this ASA?  If the config I gave you early doen't work you may have to try NAT.  Let me know if you need a basic config for that.

0 Helpful

crutchfieldjames
Level 1
Level 1
In response to rgruber

‎02-25-2013 05:00 AM

Thanks for your replies Ryan.

I don't have a network diagram right now but can get one made.

The firewall would need to stay in transparent mode as the servers its protecting cannot use NAT (they have public IP's they have to be used with).

The three servers are as follows:

srv18: xxx.xxx.144.152

srv17: xxx.xxx.132.118

srv16  xxx.xxx.130.178

Connected to the ASA5505 on the inside interface with management IP:

xxx.xxx.133.32

The asa is then connected on the outside interface to our switch which in turn connects to the internet.

srv18's gateway is xx.xxx.144.1 and the other two have xxx.xxx.132.1. These work fine when the servers are plugged directly into the switch.

There is a static route in the ASA as described above. I could be wrong, but is there a way to alter this static route to only apply to management traffic? I'm not sure its necessary if all the servers have a default gateway in their network configs.

As an update, in our deployment test:

  • Server 17 works fine.
  • Server 16 works for about a minute, then loses all connectivity. Plugging the server back into the switch (bypassing the firewall) instantly restores connectivity, so the firewall must be doing something weird here.
  • Server 18 does not work at all. (no connectivity).

The config I posted above still says "Queued for virus scan" so I've left it for now. The config can be found here:

http://pastebin.com/pwfnerCH

Any help is very much appreciated.

Thanks,

James


0 Helpful

rgruber
Level 1
Level 1
In response to crutchfieldjames

‎02-25-2013 07:14 AM

James,

Again, would bring it out of transparent mode. You can do one of these to give all those servers access to the Internet.

set your gateway on your servers to the vlan2 gateway LAN block address, which I'm guesses will be a router unless you have your ISP doing the routing for you.

config t

int vlan1

ip address XX.XX.XX.XX XX.XX.XX.XX

nameif inside

security-level 100

exit

int vlan2

ip address XX.XX.XX.XX XX.XX.XX.XX

nameif outside

security-level 0

exit

int ethernet0/0

switchport access vlan2

exit

int ethernet0/2

switchport access vlan2

exit

int ethernet0/3

switchport access vlan2

exit

int ethernet0/4

switchport access vlan2

exit

global (outside) 1 interface

nat (inside) 1 0.0.0.0 0.0.0.0

route outside 0.0.0.0 0.0.0.0 XX.XX.XX.XX 1

wr mem

this is what those switch ports will look like eth0/0,0/2,03,04 will have access to the internet

eth0/1 is the inside interface of the firewall, but in your case I don't think you are using it.


interface Ethernet0/0


switchport access vlan 2


!


interface Ethernet0/1


!


interface Ethernet0/2


switchport access vlan 2


!


interface Ethernet0/3


switchport access vlan 2


!


interface Ethernet0/4


switchport access vlan2





0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card