Also,

The configuration guide should have more information related to the Transparent mode interface configurations

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/interface_start.html

- Jouni

I have looked at that too.  I tried setting bridge groups and a BVI like so (no change):

# sr

: Saved

:

ASA Version 8.4(6)

!

command-alias exec sr show run

firewall transparent

hostname guestfw

enable password 2AUevpoV6wPBdTtM encrypted

passwd 2KFQnbNIdI.2KYOU encrypted

names

!

interface GigabitEthernet0/0

nameif inside

bridge-group 1

security-level 100

!

interface GigabitEthernet0/1

nameif outside

bridge-group 1

security-level 0

!

interface GigabitEthernet0/2

shutdown

no nameif

no security-level

!            

interface GigabitEthernet0/3

shutdown

no nameif

no security-level

!

interface Management0/0

nameif management

security-level 0

ip address 10.10.2.61 255.255.254.0

management-only

!

interface BVI1

ip address 10.12.2.61 255.255.254.0

!

interface BVI10

no ip address

!

boot system disk0:/asa846-k8.bin

ftp mode passive

access-list outside ethertype permit any

pager lines 24

logging enable

logging console informational

logging buffered debugging

mtu inside 1500

mtu outside 1500

mtu management 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

icmp permit any inside

icmp permit any outside

icmp permit any management

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

route management 10.10.0.0 255.255.0.0 128.180.3.254 1

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

telnet timeout 5

ssh 10.10.0.0 255.255.0.0 management

ssh timeout 30

ssh version 2

ssh key-exchange group dh-group1-sha1

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

username mroes1234 password ***************** encrypted

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:f66af66c0053c0beecfbd5e6ae604f11

: end

Hi,

What are you using for testing? ICMP?

If yes, then try to add the commands

fixup protocol icmp

fixup protocol icmp error

To enable ICMP inspection on the ASA

Also check the MAC address table of the ASA

show mac-address-table

And check if there there is any MAC addresses that the ASA had learned

- Jouni

the only entry in the mac address table is the host directly connected to the inside interface.

Hi,

Can you remove the IP address from the "management" interface. Its the same as the BVI interface.

Also add the above ICMP related configurations and try to ping some host on the same network as the test host and see if that works.

If that works then try to reach some remote network.

- Jouni

Turns out, for some reason, the BVI interface needs to be on the same subnet that the FW is firewalling.  The logic behind this eludes me.

Hi,

I dont have that much expirience with the Transparent firewalls as I have not had the need to configure them in any customer environment.

To my understanding you can configure several bridge-groups on the firewall for each segment.

And the management/BVI IP address has to be on the same subnet as the connected segment. Otherwise the device wouldnt really be able to be managed remotely or it wouldnt be able to forward any from the box/to the box traffic.

In the same way when you have several L2 switches. You have one Vlan ID and interface per Switch usually and all configured with a separate IP address from the subnet so you can manage the device and the device knows where to forward traffic from the actual box.

The ASA also requires the IP address from the same network to be able to determine where to forward the traffic.

- Jouni

To your first point, there is no reason to have the *management* of the device on the subnet being firewalled.  It makes more sense to have the management interface on the management network. 

As far as your second point, the point of a layer-2 firewall is that it doesn't need to *know* where to forward traffic as it is a dumb bridge. 

While I recognize the need to have this BVI on the same network as the traffic being bridged, these are not sufficient reasons to support this need.