cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3006
Views
0
Helpful
4
Replies

Passing Traffic Through ASA 5515-X Issue

dcaseysjra
Level 1
Level 1

I have a test environment that contains two Cisco 3560-X switches in router mode.  The ASA 5515-X firewall is currently configured in transparent mode between the two switches as follows:

3560X(inside LAN)--->Gi0/24-->Gi0/0-----ASA5515X--------Gi0/1<----Gi0/24<----3560X(DMZ LAN "outside")

I want the firewall to be physically connected between the two switches but do not need to currrently filter any traffic (filtering will be applied much later during development).

Both switches have several VLAN's (i.e. 115, 600, 900, etc.) with Gi0/24 configured as a trunk port.  The IP address of VLAN 600 on inside switch is set to 10.211.127.254 and had the default gateway of the switch set to this address.  The IP address of VLAN 600 on the DMZ switch is set to 10.211.127.9 as well as the default gateway for this switch.  Both switches have EIGRP running with the respective networks for each VLAN configured.  In transparent mode all directly connected interfaces must be in the same subnet and the ASA5515X is set with an ip address of 10.211.127.8. 

A static route is also configured for inside 10.211.10.0 255.255.255.0 10.211.127.254 with ACL entries that permit telnet and http to the ASA from this range.

I cannot get traffic (such as ping) to work from switch to switch through the ASA.  The first question I have is about bridge groups.  Interfaces on the ASA are currently set as follows:

Gi0/0

inside

security level 100

group BVI1

Gi0/1

outside (this goes to DMZ)

security level 0

group (not assigned)

I do not know if they have to be in the same bridge group.  I have tried to assign Gi0/1 to BVI1 but this drops my connection and I cannot access anything.

There is an option to "Enable traffic between two or more interfaces wich are configured with the same security levels" but when I se the security level on Gi0/1 to 100 is has no effect and drops communication if I assign it to BVI1.

I can upload the running configurations for each device if that would be more helpful than my explanation.  I'm not sure if transparent mode is the best choice for my configuration.

1 Accepted Solution

Accepted Solutions

In routed mode you could set up a layer 3 interface on the 3560 and route everything, but if you are to pass VLANs then the only way the ASA is able to do this is through subinterfaces which are placed in those VLANs.

I see you have not named the subinterfaces and assigned security levels to the subinterfaces under Gig0/1 interface.  All interfaces are required to have a name and security level for them to be active.

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

4 Replies 4

What version ASA are you running?

it would help to see the configuration of the ASA, and the switches for that matter.  The interfaces connected to inside and DMZ need to be in the same bridge-group. So your configuration on the ASA shoud be something like this (taking in to consideration that there is to be no filtering between the two zones):

firewall transparent

int G0/0

security-level 100

nameif inside

bridge-group 1

no shut

int G0/1

security-level 0

nameif outside

bridge-group 1

no shut

int bvi 1

ip add 10.211.127.8 255.255.255.0

access-list ACL1 extended permit ip any any

access-group ACL1 in interface inside

access-group ACL1 in interface outside

--
Please remember to select a correct answer and rate helpful posts

                  Sorry for the slow response - was at training for the rest of the week for things.

The ASA version is:  ASA Version 8.6(1)2

I also opened a case with Cisco TAC to assist with the configuration.  One of the issues I am having with the configuration in transparent mode is that the inbound/outbound interfaces do not support passing mutiple VLAN traffic from a switch configured using a trunk port.  This results in the ASA requiring sub-interfaces to permit traffic from each VLAN on the switch. 

I'm starting to think that re-configuring the ASA in routed mode may be a better approach?

I have attached the current configurations of one of the switches and the ASA.  The switch on the other side is similar to the one attached.

In routed mode you could set up a layer 3 interface on the 3560 and route everything, but if you are to pass VLANs then the only way the ASA is able to do this is through subinterfaces which are placed in those VLANs.

I see you have not named the subinterfaces and assigned security levels to the subinterfaces under Gig0/1 interface.  All interfaces are required to have a name and security level for them to be active.

--
Please remember to select a correct answer and rate helpful posts

I decided to change from transparent mode to routed mode on the ASA.  There is a 4 interface limit on bridge groups required to run in transparent mode, and this did not accommodate the mutiple VLAN's because of the sub-interface requirement.  You are correct about the names and security levels.  I stopped configuration after running into the bridge-group limitation.  Thank you for your assistance.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: