04-05-2012 12:12 PM - edited 03-11-2019 03:51 PM
The ASA is configured in very simple transparent mode. As desired, traffic can flow in each direction between inside and outside. I can manage the ASA via console and direct connection to the management interface. The problem is that I cannot ping or ssh to the ASA via the inside interface. I need to be able to manage the ASA from any PC on the inside LAN. I suspect I am missing some easy aspect of the configuration but after a lot of hours I'm about at the end of my patience with it. Here is what I believe to be the relevant parts of the config. Any assistance will be greatly appreciated.
ASA Version 8.2(1)
!
firewall transparent
hostname issr1
enable password 2alej83t5cqT0FWd encrypted
passwd 4kleUY438I93.4ljdh encrypted
names
name xxx.125.144.0 myLAN
!
interface Ethernet0/0
nameif Outside
security-level 0
!
interface Ethernet0/1
nameif inside
security-level 100
!
interface Ethernet0/2
shutdown
no nameif
no security-level
!
interface Ethernet0/3
shutdown
no nameif
no security-level
!
interface Management0/0
nameif management
security-level 100
ip address xxx.125.145.173 255.255.255.0
management-only
!
dns server-group DefaultDNS
domain-name myLAN.circ6.dcn
object-group protocol TCPUDP
protocol-object tcp
access-list inside_access_in_2 extended permit ip any any
access-list Outside_access_in_1 extended permit ip myLAN 255.255.254.0 any
mtu Outside 1500
mtu inside 1500
mtu management 1500
ip address xxx.125.145.175 255.255.254.0
icmp unreachable rate-limit 1 burst-size 1
icmp permit host xxx.125.145.175 inside
asdm history enable
access-group Outside_access_in_1 in interface Outside
access-group inside_access_in_2 in interface inside control-plane
route inside myLAN 255.255.254.0 xxx.125.144.240 1
dynamic-access-policy-record DfltAccessPolicy
aaa authentication ssh console LOCAL
http server enable
http xxx.125.144.0 255.255.254.0 management
http myLAN 255.255.254.0 inside
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
ssh xxx.125.144.14 255.255.255.255 inside
ssh xxx.125.145.174 255.255.255.255 management
ssh timeout 60
console timeout 0
!
Cryptochecksum:f1c9377arda5b6aef83928h0b0058f9
04-05-2012 01:00 PM
Hi,
I have never actually configured a transparent ASA firewall so I am just guessing.
What I am wondering is that if you have a transparent firewall acting as a L2 device in the network. Shouldnt you just have a default route pointing to the networks only L3 interfaces IP address.
Have you tried giving the management interface a totally different IP address? Something like 10.10.10.1/24 so it doesnt have anything to do with the actual network you have your ASA connected to?
Can you ping the IP address mentioned in the global configuration line "ip address" from your computer connected to the L2 network?
04-06-2012 07:02 AM
Thanks for the reply.
I had an error in a netmask. After fixing that I can ping and connect with ASDM from the inside to the global IP address. I still cannot SSH from the inside but I should be able to figure that out.
Thanks for the help. Although your suggestion wasn't exactly the solution, it did prompt me to review all of my network settings and find the immediate problem.
Thanks again.
04-06-2012 07:44 AM
Hey,
When you say that you have been able to manage the ASA directly from Management interface, does that mean also with SSH?
I was just wondering if you've issued the "crypto key generate rsa modules 1024" from the console CLI? Or same from the ASDM tools -> Command Line Interface (or something similiar)
Atleast thats the most common mistake I sometimes make when starting configuraitons with ASA on console (forget to create the keys)
- Jouni
04-06-2012 10:29 AM
From the management interface I can use SSH and ASDM.
I had already done the 'crypto..." command.
After tweaking another netmask I can now do SSH and ASDM from the inside interface. So my immediate problems are all resolved.
Thanks again,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide