10-22-2021 05:30 AM
Hi,
I am stuck trying to get the following setup to work on an ASA5506 running in transparent mode.
We use this setup to filter some traffic between our device and the corporate network.
We use the ASA5506 (running firmware 9.14) in the following setup:
- Port 1: outside zone (Corporate network)
- Port 2: inside zone
- Port 3: inside2 zone
Goal:
- We want to apply some simple filtering rules to the traffic that comes into and goes out of the outside zone.
- Devices connected to port 2 and 3 can communicate without any restriction (no rules)
- The DHCP server is located on the outside zone so DHCP should be allowed.
Problem: The firewall however not allow the DHCP traffic to pass from port 1 to port 2 and 3
The logging shows:
Oct 22 2021 13:13:35: %ASA-7-710005: UDP request discarded from 0.0.0.0/68 to inside:255.255.255.255/67
Questions:
1. Why is the DHCP traffic blocked?
2. Can I have 3 ports that are part of the same BVI or is there another way to get the required functionality?
Regard,
T
Here is part of the configuration:
firewall transparent
interface BVI1 ip address 192.168.0.1 255.255.255.0 ipv6 enable interface GigabitEthernet1/1
nameif outside
bridge-group 1
security-level 0
no shutdown
!
interface GigabitEthernet1/2
nameif inside
bridge-group 1
security-level 100
no shutdown
!
interface GigabitEthernet1/3
nameif inside2
bridge-group 1
security-level 100
no shutdown
....
....
clear configure access-list
!
access-list outside_access_in extended permit ip any any log disable
access-list outside_access_in extended permit object-group SERVICES_ICMPV4 any any log disable
access-list outside_access_in extended permit object-group SERVICES_ICMPV6 any any log disable
!
!==============================================================================
! Access List Configuration: inside to outside
!==============================================================================
access-list inside_access_out extended permit ip any any log disable
access-list inside_access_out extended permit object-group SERVICES_ICMPV4 any any log disable
access-list inside_access_out extended permit object-group SERVICES_ICMPV6 any any log disable
!
access-group outside_access_in in interface outside
access-group inside_access_out out interface outside
same-security-traffic permit inter-interface
arp permit-nonconnected
Solved! Go to Solution.
10-22-2021 09:27 AM
where is the DHCP Server - add below rule and test it
access-list XXXXXXXXXXXX extended permit udp host 0.0.0.0 eq bootpc host 255.255.255.255 eq bootps (XXXXX direction in or out)
10-22-2021 09:27 AM
where is the DHCP Server - add below rule and test it
access-list XXXXXXXXXXXX extended permit udp host 0.0.0.0 eq bootpc host 255.255.255.255 eq bootps (XXXXX direction in or out)
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: