ā10-14-2015 08:08 AM - edited ā03-11-2019 11:45 PM
Hello,
I am testing a 5520 ASA running 7.2(2) in Transparent mode. I have connected one PC to the inside (security 100) of the ASA, and connected the layer 3 device (non Cisco), which is the default Gateway of this PC, to the outside (security 0) of the ASA. A server is directly connected to the Layer 3 device. All the above are in the same vlan.
PC ---> (inside) ASA (outside) ---> L3 Gateway ---> Server
I have created two ACLs for the inside and outside interfaces permitting icmp and all IP for test sake.
The problem is that I cannot ping the Server or the L3 gateway from the PC. If I remove the ASA and connect PC directly then everything works fine. Once I reconnect the ASA there will be several Ping replies then I receive destination unreachable, although everything is in a single VLAN.
Is the ASA interfering with broadcast traffic between the PC and its Gateway, although Transparent mode should allow this? I have tried to add icmp inspect and also removed all inspection policies but still no result.
All help is appreciated.
ā10-14-2015 09:04 AM
Hi Mo,
In transparent mode of Firewall, you needs to create 2 Vlans (1 for Inside and 1 for outside). Then create bridge group of the vlans (in/out).
Example: Configuration on Inside/outside interfaces:
interface GigabitEthernet0/0
vlan 10
nameif inside
bridge-group 1
security-level 100
interface GigabitEthernet0/1
vlan 20
nameif outside
bridge-group 1
security-level 0
Now please configure "BVI" interface in Firewall with one IP from the same IP Subnet for which you want to pass traffic through firewall:
interface BVI1
ip address 192.168.10.9 255.255.255.0 standby 192.168.10.10 (any free IP can be assigned from subnet)
Your layer 3 device should have same "interface Vlan" number as of Firewall Outside Inetrface vlan number (vlan 20 in this example).
Now, please allow interested traffic on ouside Interface via access-list. This will allow traffic through transparent firewall.
Hope this helps !!
Regards
Rajneesh
ā10-14-2015 09:12 AM
Thanks Rajneesh for the explanation.
Is the brdige-group required for ASA running 7.2(2) code, I thought this was introduced for 8.4 and later.
Regards,
Moe
ā10-14-2015 09:40 AM
Hi Moe,
Sorry. You are right. Bridge group feature support on higher version. Please go through below link, this may help.
Regards
Rajneesh
ā10-14-2015 07:17 PM
I haven't found a solution yet. I thought it should be pretty straightforward. Is any static route required or perhaps some bug in 7.2(2) code ??
ā10-14-2015 09:08 PM
can you show the ACL you have on both interfaces? Have you tried to connect to the server with any other protocol besides ICMP? Did you check your log to see why the traffic is not allowed?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide