05-11-2017 07:33 AM - edited 03-12-2019 02:20 AM
Hello!
I am trying to configure Cisco ASA5506X in transparent mode using bridge groups. I follow all the official guidelines, but ASA does not bridge traffic...
The layout is:
Host (10.200.80.7) ---------- ASA Gi1/2.200 (vlan 200) --- bridge group 200 (10.200.80.2) --- ASA Gi1/1.59 (vlan 59) ----------- Gateway (10.200.80.1).
Test results:
The configuration is below.
ciscoasa# sh run
: Saved
:
: Serial Number: JAD201102AM
: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)
:
ASA Version 9.5(2)
!
firewall transparent
hostname ciscoasa
enable password <output deleted> encrypted
names
!
interface GigabitEthernet1/1
no nameif
no security-level
!
interface GigabitEthernet1/1.59
vlan 59
nameif outside200
bridge-group 200
security-level 100
!
interface GigabitEthernet1/2
no nameif
no security-level
!
interface GigabitEthernet1/2.200
vlan 200
nameif inside200
bridge-group 200
security-level 100
!
interface GigabitEthernet1/3
shutdown
no nameif
no security-level
!
interface GigabitEthernet1/4
shutdown
no nameif
no security-level
!
interface GigabitEthernet1/5
shutdown
no nameif
no security-level
!
interface GigabitEthernet1/6
shutdown
no nameif
no security-level
!
interface GigabitEthernet1/7
shutdown
no nameif
no security-level
!
interface GigabitEthernet1/8
shutdown
no nameif
no security-level
!
interface Management1/1
management-only
no nameif
no security-level
!
interface BVI200
ip address 10.200.80.2 255.255.255.0
!
ftp mode passive
pager lines 24
logging enable
logging timestamp
logging buffer-size 512000
logging buffered debugging
mtu inside200 1500
mtu outside200 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
user-identity default-domain LOCAL
no snmp-server location
no snmp-server contact
service sw-reset-button
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
no ssh stricthostkeycheck
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
dynamic-access-policy-record DfltAccessPolicy
!
class-map global-class
match any
!
!
policy-map global_policy
class global-class
sfr fail-open
!
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:c2f0e252f042c3710335f876e69548d4
: end
ciscoasa#
05-11-2017 08:09 AM
Stanislav,
I see both interfaces have security level 100. try adding following command.
same-security-traffic permit inter-interface
Ashish
05-11-2017 08:17 AM
Produced no effect.
05-11-2017 08:40 AM
Interface gig 1/1 and 1/2 do they connect directly to host or a switch. As you have sub-interface with VLAN 200 and 59 make sure interfaces on switch are trunk ports and VLAN 200 and 59 are allowed.
Ashish
05-11-2017 01:30 PM
They are connected to a switch. The interfaces on the switch are configured correctly, otherwise ASA could not ping its neoghbors, but it can, as I wrote before.
05-11-2017 02:16 PM
Can you check logs of SFR ? Or try
policy-map global_policy
class global-class
no sfr fail-open
Above step is to disable SFR features on ASA, This is just for testing.
Ashish
05-15-2017 03:21 PM
Hi all!
I managed to locate the problem, and it looks the same as here:
https://supportforums.cisco.com/discussion/11426276/asa-5505-843-not-responding-arp-requests-different-subnet
The problem is that ASA blocks ARP replies. When I ping a host from inside to outside, the host sends out an ARP request. With a packet sniffer, I see that the request reaches the host (10.200.80.1 in my case), and the host replies, but this reply never reaches the ping inititator. Any idea how to solve it? I am currently thinking it is a bug of 9.5(2) and planning to upgrade to the latest version.
05-11-2017 10:54 AM
Could you please try adding icmp inspection and see if that helps.
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect icmp
service-policy global_policy global
-AJ
05-11-2017 01:34 PM
Hi Ajay,
Done. Problem not solved...
05-11-2017 01:51 PM
Could you please run the following debugs and also attach the syslogs from the ASA:
debug icmp trace
and take level 6 syslogs.
-AJ
05-15-2017 03:24 PM
Hello Ajay,
debug icmp trace showed no ICMP requests. And I decided to go down to ARP level. See my posts below.
level 6 logging showed nothing interesting, no drops.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: