cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

730
Views
0
Helpful
1
Replies
tom.fransen
Beginner

Cisco ASA: transparent mode / bridge group / DHCP traffic blocked

Hi,

 

I am stuck trying to get the following setup to work on an ASA5506 running in transparent mode.

We use this setup to filter some traffic between our device and the corporate network.

 

We use the ASA5506 (running firmware 9.14) in the following setup:

- Port 1: outside zone (Corporate network)

- Port 2: inside zone

- Port 3: inside2 zone

 

Goal:

- We want to apply some simple filtering rules to the traffic that comes into and goes out of the outside zone.

- Devices connected to port 2 and 3 can communicate without any restriction (no rules)

- The DHCP server is located on the outside zone so DHCP should be allowed.

 

Problem: The firewall however not allow the DHCP traffic to pass from port 1 to port 2 and 3

 

The logging shows:

Oct 22 2021 13:13:35: %ASA-7-710005: UDP request discarded from 0.0.0.0/68 to inside:255.255.255.255/67

 

Questions:

1. Why is the DHCP traffic blocked?

2. Can I have 3 ports that are part of the same BVI or is there another way to get the required functionality?

 

Regard,

T

 

Here is part of the configuration:

 

firewall transparent

interface BVI1 ip address 192.168.0.1 255.255.255.0 ipv6 enable interface GigabitEthernet1/1
nameif outside
bridge-group 1
security-level 0
no shutdown
!
interface GigabitEthernet1/2
nameif inside
bridge-group 1
security-level 100
no shutdown
!
interface GigabitEthernet1/3
nameif inside2
bridge-group 1
security-level 100
no shutdown

....
....
clear configure access-list
!
access-list outside_access_in extended permit ip any any log disable
access-list outside_access_in extended permit object-group SERVICES_ICMPV4 any any log disable
access-list outside_access_in extended permit object-group SERVICES_ICMPV6 any any log disable
!
!==============================================================================
! Access List Configuration: inside to outside
!==============================================================================
access-list inside_access_out extended permit ip any any log disable
access-list inside_access_out extended permit object-group SERVICES_ICMPV4 any any log disable
access-list inside_access_out extended permit object-group SERVICES_ICMPV6 any any log disable
!
access-group outside_access_in in interface outside
access-group inside_access_out out interface outside
same-security-traffic permit inter-interface

arp permit-nonconnected
1 ACCEPTED SOLUTION

Accepted Solutions
balaji.bandi
VIP Guru

where is the DHCP Server - add below rule and test it

 

access-list XXXXXXXXXXXX extended permit udp host 0.0.0.0 eq bootpc host 255.255.255.255 eq bootps  (XXXXX  direction in or out)

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

1 REPLY 1
balaji.bandi
VIP Guru

where is the DHCP Server - add below rule and test it

 

access-list XXXXXXXXXXXX extended permit udp host 0.0.0.0 eq bootpc host 255.255.255.255 eq bootps  (XXXXX  direction in or out)

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Create
Recognize Your Peers
Content for Community-Ad