Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1308
Views
0
Helpful
1
Replies

Cisco ASA: transparent mode / bridge group / DHCP traffic blocked

Go to solution
tom.fransen
Level 1
Level 1

‎10-22-2021 05:30 AM

Hi,

 

I am stuck trying to get the following setup to work on an ASA5506 running in transparent mode.

We use this setup to filter some traffic between our device and the corporate network.

 

We use the ASA5506 (running firmware 9.14) in the following setup:

- Port 1: outside zone (Corporate network)

- Port 2: inside zone

- Port 3: inside2 zone

 

Goal:

- We want to apply some simple filtering rules to the traffic that comes into and goes out of the outside zone.

- Devices connected to port 2 and 3 can communicate without any restriction (no rules)

- The DHCP server is located on the outside zone so DHCP should be allowed.

 

Problem: The firewall however not allow the DHCP traffic to pass from port 1 to port 2 and 3

 

The logging shows:

Oct 22 2021 13:13:35: %ASA-7-710005: UDP request discarded from 0.0.0.0/68 to inside:255.255.255.255/67

 

Questions:

1. Why is the DHCP traffic blocked?

2. Can I have 3 ports that are part of the same BVI or is there another way to get the required functionality?

 

Regard,

T

 

Here is part of the configuration:

 

firewall transparent

interface BVI1
 ip address 192.168.0.1 255.255.255.0
 ipv6 enable

interface GigabitEthernet1/1
nameif outside
bridge-group 1
security-level 0
no shutdown
! 
interface GigabitEthernet1/2
nameif inside
bridge-group 1
security-level 100
no shutdown
!
interface GigabitEthernet1/3
nameif inside2
bridge-group 1
security-level 100
no shutdown

....
....
clear configure access-list
!
access-list outside_access_in extended permit ip any any log disable 
access-list outside_access_in extended permit object-group SERVICES_ICMPV4 any any log disable 
access-list outside_access_in extended permit object-group SERVICES_ICMPV6 any any log disable 
!
!==============================================================================
! Access List Configuration: inside to outside
!==============================================================================
access-list inside_access_out extended permit ip any any log disable 
access-list inside_access_out extended permit object-group SERVICES_ICMPV4 any any log disable 
access-list inside_access_out extended permit object-group SERVICES_ICMPV6 any any log disable 
!
access-group outside_access_in in interface outside
access-group inside_access_out out interface outside
same-security-traffic permit inter-interface 

arp permit-nonconnected
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎10-22-2021 09:27 AM

where is the DHCP Server - add below rule and test it

 

access-list XXXXXXXXXXXX extended permit udp host 0.0.0.0 eq bootpc host 255.255.255.255 eq bootps  (XXXXX  direction in or out)

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

0 Helpful
1 Reply 1

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎10-22-2021 09:27 AM

where is the DHCP Server - add below rule and test it

 

access-list XXXXXXXXXXXX extended permit udp host 0.0.0.0 eq bootpc host 255.255.255.255 eq bootps  (XXXXX  direction in or out)

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card