03-10-2010 05:10 AM - edited 03-11-2019 10:19 AM
I am trying to add a Cisco ASA 5550 running in Transparent mode between the outside router and the Blue Coat. The Blue Coat is also running in pass thru mode. When ever I add the ASA, traffic stops flowing. I have the inside interface set going to the WAN interface on the Blue Coat and the outside interface set going to the router. I captured some log information from the ASA while connected for a few minutes. We are using NAT on the router so the 10.0.0.3 address you see is to the Blue Coat if that helps. Any help is appreciated.
03-10-2010 09:38 AM
Hi,
If you have the ASA configured in transparent mode, you need to configure ACLs to specify the traffic that you wish to permit through the ASA.
Do you have those ACLs in place and properly configured?
Federico.
03-10-2010 07:45 PM
Looking at the logs, it appears that the Blue Coat is going out to the internet via a diff. path besides the ASA and the response traffic from the internet is coming to the outside interface of the router and the ASA is dropping these packets.
Is this the topology?
B.Coat(10.0.0.3)-----(inside)TFW(ASA)(outside)---Router ---Internet
http://www.cisco.com/en/US/docs/security/asa/asa82/system/message/logmsgs.html#wp4768860
-KS
03-11-2010 02:36 AM
The topology is from botom (inside network) to Internet (outside):
Cisco 3750 switch Fa 1/0/24 (out) --> (in) Blue Coat LAN ---> (out) Blue Coat WAN --> (in) ASA 5550 Gig 0/0 (nameif inside) --> (out) ASA 5550 Gig 1/0 (nameif outside) --> (in) Cisco 3845 Fa 0/0 --> (out) Cisco 3845 Fa 0/1 --> RF Modem --> ISP
03-11-2010 02:32 AM
I do not currently have any additional ACL's in place other than the defaults when
you create the inside/outside interfaces. I wouldn't know where to start as security is new to me. I am
primarily a L2 implementor.
03-11-2010 06:40 AM
Best thing to do is captures on the ASA to make sure the requests and the response go through the ASA.
What code is the ASA running if it is running 7.2.4 or above you can use the match command in the capture lines.
cap capin int inside match ip any ho 10.0.0.3
cap capout int outside match ip any ho 10.0.0.3
This will collect bi-directional captures and you can do
sh cap capin
sh cap capout
If you do not run a code that support the match keyword then use this link to collect catpures: https://supportforums.cisco.com/docs/DOC-1222;jsessionid=A11197443F5D79D04565C4331EFA5806.node0
and make sure the syn is seen on the inside and it leaves the outside interface towards the internet and the syn ack arrives on the outside interface destined to this 10.0.0.3 host.
-KS
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide