Dear jcarvaja,

Thank you very much for your support, but i already did this on 7.x version and it works fine. When i try to configure 8.0(2) or 8.2 the same configuration would not work?

Is there any change in the transparent firewall configuration on version 8.2 and 8.0(2)?

Regards,

Ali....

Hello Ali,

No, not on 8.2

The changes are on the new versions 8.4 with the use of bridge groups

Configuration is the same one on your version

Regards

I did the following configuration on my ASA. i can ping the managment IP from outside and inside router. But trafic is not transiting through the ASA, any idea?

ciscoasa# sh run

: Saved

:

ASA Version 8.0(2)

!

firewall transparent

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

names

!

interface Ethernet0/0

nameif outside

security-level 0

!

interface Ethernet0/1

no nameif

no security-level

!

interface Ethernet0/2

nameif inside

security-level 100

!

interface Ethernet0/3

shutdown

no nameif

no security-level

!

interface Ethernet0/4

shutdown

no nameif

no security-level

!

interface Ethernet0/5

shutdown

no nameif

no security-level

!

access-list ACL extended permit ip any any

access-list ACL extended permit icmp any any

!

ip address 1.1.1.10 255.255.255.0

!

access-group ACL in interface outside

access-group ACL in interface inside

if i put the same above configuration on 7.x it works as expected, but not in 8.0 (2)

From where to where are you trying to ping?

A host on the inside to an internet host like 4.2.2.2

May I see the entire running config, I do not see any routes there

I have L3 Switch having SVI of VLAN 7 inside connected with transparent ASA, and router outside connected with ASA on outside interface.

SVI VLAN7 IP= 7.7.7.2.

Router IP= 7.7.7.3

ASA Managment IP = 7.7.7.10

I can ping from inside (L3 SW) and outside (router) to ASA 7.7.7.10 because it is directly connected.

I have a router in L3 SW 0.0.0.0 0.0.0.0 7.7.7.3, infact it would not required as L3 SW and router are sharing same subnet.

Also NAT- Control is disable

I am not able to ping Router (outside) from the L3 Sw.

SW# ping 7.7.7.3 is not successful.

This is the whole case.

To make more understanding

outside router is directly connected with SW in VLAN 77 and the ASA outside port is also connected with same switch in VLAN 77.

Inside L3 SW port is in VLAN 7 connected with ASA INSIDE and SVI 7 on sw having the IP

Hello Ali,

Exactly,

take that route from the SW, you do not need that....

Add the following to the ASA

Fixup protocol ICMP

Ok i will try this and get back to you as i didnt have the access right now.

Also when i try to ping from SW to Router i saw that the ARP table is incomplete for the IP. i dont know why might be ASA is blokcing the ARp which not suppose to be ?

Only the traffic is not transiting, eveni can ping the managment from both in to asa and out to asa

Hello Ali,

If with that command does not work then we will add some captures

cap capin interface inside match icmp host SW_IPaddress host Router_IPaddress

cap capout interface outside match icmp host SW_IPaddress host Router_IPaddress

cap asp type asp-drop all circular-buffer

Then try to ping from SW to Router and provide

show cap capin

show cap capout

show cap asp | include Router_ip_address

Regards

Remember to rate all of the helpful post, that is as important as a thanks

Ok i will do this as well, thanks you very much for as of now.

I hope it will solve or atleast find the issue. I will get back to you by  next day. Again thank you very much jcarvaja.

Dear jcarvaja

Reference made to our previous communication regarding transparent firewall. Following are my full config with your required capture. I can still ping to the managment of ASA from inside and outside. But traffic is not transiting.

Inside Capture

------------------------------

sh capture INSIDE

24 packets captured

   1: 00:11:45.244326 802.3 encap packet

   2: 00:11:47.289245 802.3 encap packet

   3: 00:11:49.233325 802.3 encap packet

   4: 00:11:51.264039 802.3 encap packet

   5: 00:11:53.258607 802.3 encap packet

   6: 00:11:55.293060 802.3 encap packet

   7: 00:11:57.339719 802.3 encap packet

   8: 00:11:59.331113 802.3 encap packet

   9: 00:12:01.343549 802.3 encap packet

  10: 00:12:03.335218 802.3 encap packet

  11: 00:12:05.349347 802.3 encap packet

  12: 00:12:07.393152 802.3 encap packet

  13: 00:12:09.117242 arp who-has 7.7.7.3 tell 7.7.7.2

  14: 00:12:09.341931 802.3 encap packet

  15: 00:12:11.103693 arp who-has 7.7.7.3 tell 7.7.7.2

  16: 00:12:11.409341 802.3 encap packet

  17: 00:12:13.102198 arp who-has 7.7.7.3 tell 7.7.7.2

  18: 00:12:13.412393 802.3 encap packet

  19: 00:12:15.088832 arp who-has 7.7.7.3 tell 7.7.7.2

  20: 00:12:15.393244 802.3 encap packet

  21: 00:12:16.206959 802.3 encap packet

  22: 00:12:17.106043 arp who-has 7.7.7.3 tell 7.7.7.2

  23: 00:12:17.448661 802.3 encap packet

  24: 00:12:19.410760 802.3 encap packet

Outside Capture

------------------------------

   1: 00:11:56.916105 802.3 encap packet

   2: 00:11:58.879074 802.3 encap packet

   3: 00:12:00.938367 802.3 encap packet

   4: 00:12:02.893935 802.3 encap packet

   5: 00:12:04.935437 802.3 encap packet

   6: 00:12:06.927488 802.3 encap packet

   7: 00:12:08.875702 802.3 encap packet

   8: 00:12:09.117242 arp who-has 7.7.7.3 tell 7.7.7.2

   9: 00:12:10.931104 802.3 encap packet

  10: 00:12:11.113244 arp who-has 7.7.7.3 tell 7.7.7.2

  11: 00:12:12.944088 802.3 encap packet

  12: 00:12:13.102198 arp who-has 7.7.7.3 tell 7.7.7.2

  13: 00:12:14.933331 802.3 encap packet

  14: 00:12:15.088832 arp who-has 7.7.7.3 tell 7.7.7.2

  15: 00:12:15.642453 802.3 encap packet

  16: 00:12:16.948101 802.3 encap packet

  17: 00:12:17.106043 arp who-has 7.7.7.3 tell 7.7.7.2

  18: 00:12:18.968348 802.3 encap packet

  19: 00:12:20.969066 802.3 encap packet

  20: 00:12:22.976695 802.3 encap packet

  21: 00:12:25.012572 802.3 encap packet

ASA

-------------------------

: Saved

:

ASA Version 8.0(2)

!

firewall transparent

hostname ciscoasa

enable password 8Ry2YjIyt7RRXU24 encrypted

names

!

interface Ethernet0/0

nameif outside

security-level 0

!

interface Ethernet0/1

shutdown

no nameif

no security-level

!

interface Ethernet0/2

shutdown

no nameif

no security-level

!

interface Ethernet0/3

nameif inside

security-level 100

!

interface Ethernet0/4

shutdown

no nameif

no security-level

!

interface Ethernet0/5

shutdown

no nameif

no security-level

!

passwd 2KFQnbNIdI.2KYOU encrypted

ftp mode passive

access-list OUT extended permit icmp any any

pager lines 24

mtu outside 1500

mtu inside 1500

ip address 7.7.7.10 255.255.255.0

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

access-group OUT in interface outside

access-group OUT in interface inside

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout uauth 0:05:00 absolute

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

no crypto isakmp nat-traversal

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map global_policy

class inspection_default

  inspect icmp

!            

service-policy global_policy global

prompt hostname context

Cryptochecksum:00000000000000000000000000000000