Could you please try adding

Stanislav Itkind · ‎05-11-2017

Hello!

I am trying to configure Cisco ASA5506X in transparent mode using bridge groups. I follow all the official guidelines, but ASA does not bridge traffic...

The layout is:

Host (10.200.80.7) ---------- ASA Gi1/2.200 (vlan 200) --- bridge group 200 (10.200.80.2) --- ASA Gi1/1.59 (vlan 59) ----------- Gateway (10.200.80.1).

Test results:

10.200.80.7 can ping 10.200.80.2 and cannot ping 10.200.80.1
10.200.80.2 can ping anything.
10.200.80.1 can ping 10.200.80.2 and cannot ping 10.200.80.7

The configuration is below.

ciscoasa# sh run

: Saved

:

: Serial Number: JAD201102AM

: Hardware: ASA5506, 4096 MB RAM, CPU Atom C2000 series 1250 MHz, 1 CPU (4 cores)

:

ASA Version 9.5(2)

!

firewall transparent

hostname ciscoasa

enable password <output deleted> encrypted

names

!

interface GigabitEthernet1/1

no nameif

no security-level

!

interface GigabitEthernet1/1.59

vlan 59

nameif outside200

bridge-group 200

security-level 100

!

interface GigabitEthernet1/2

no nameif

no security-level

!

interface GigabitEthernet1/2.200

vlan 200

nameif inside200

bridge-group 200

security-level 100

!

interface GigabitEthernet1/3

shutdown

no nameif

no security-level

!

interface GigabitEthernet1/4

shutdown

no nameif

no security-level

!

interface GigabitEthernet1/5

shutdown

no nameif

no security-level

!

interface GigabitEthernet1/6

shutdown

no nameif

no security-level

!

interface GigabitEthernet1/7

shutdown

no nameif

no security-level

!

interface GigabitEthernet1/8

shutdown

no nameif

no security-level

!

interface Management1/1

management-only

no nameif

no security-level

!

interface BVI200

ip address 10.200.80.2 255.255.255.0

!

ftp mode passive

pager lines 24

logging enable

logging timestamp

logging buffer-size 512000

logging buffered debugging

mtu inside200 1500

mtu outside200 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

user-identity default-domain LOCAL

no snmp-server location

no snmp-server contact

service sw-reset-button

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

no ssh stricthostkeycheck

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

dynamic-access-policy-record DfltAccessPolicy

!

class-map global-class

match any

!

policy-map global_policy

class global-class

sfr fail-open

!

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:c2f0e252f042c3710335f876e69548d4

: end

ciscoasa#

Ashish Jhaldiyal · ‎05-11-2017

Stanislav,

I see both interfaces have security level 100. try adding following command.

same-security-traffic permit inter-interface

Ashish

Stanislav Itkind · ‎05-11-2017

Produced no effect.

Ashish Jhaldiyal · ‎05-11-2017

Interface gig 1/1 and 1/2 do they connect directly to host or a switch. As you have sub-interface with VLAN 200 and 59 make sure interfaces on switch are trunk ports and VLAN 200 and 59 are allowed.

Ashish

Stanislav Itkind · ‎05-11-2017

They are connected to a switch. The interfaces on the switch are configured correctly, otherwise ASA could not ping its neoghbors, but it can, as I wrote before.

Ashish Jhaldiyal · ‎05-11-2017

Can you check logs of SFR ? Or try

policy-map global_policy

class global-class

no sfr fail-open

Above step is to disable SFR features on ASA, This is just for testing.

Ashish

Stanislav Itkind · ‎05-15-2017

Hi all!

I managed to locate the problem, and it looks the same as here:

https://supportforums.cisco.com/discussion/11426276/asa-5505-843-not-responding-arp-requests-different-subnet

The problem is that ASA blocks ARP replies. When I ping a host from inside to outside, the host sends out an ARP request. With a packet sniffer, I see that the request reaches the host (10.200.80.1 in my case), and the host replies, but this reply never reaches the ping inititator. Any idea how to solve it? I am currently thinking it is a bug of 9.5(2) and planning to upgrade to the latest version.

Ajay Saini · ‎05-11-2017

Could you please try adding icmp inspection and see if that helps.

class-map inspection_default
match default-inspection-traffic

policy-map global_policy
class inspection_default

inspect icmp

service-policy global_policy global

-AJ

Stanislav Itkind · ‎05-11-2017

Hi Ajay,

Done. Problem not solved...

Ajay Saini · ‎05-11-2017

Could you please run the following debugs and also attach the syslogs from the ASA:

debug icmp trace

and take level 6 syslogs.

-AJ

Stanislav Itkind · ‎05-15-2017

Hello Ajay,

debug icmp trace showed no ICMP requests. And I decided to go down to ARP level. See my posts below.

level 6 logging showed nothing interesting, no drops.

ASA5506X is not bridging traffic