Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
828
Views
4
Helpful
5
Replies

Transparent ASA between Client and its default Gateway

mo shea
Level 1
Level 1

ā€Ž10-14-2015 08:08 AM - edited ā€Ž03-11-2019 11:45 PM

Hello,

I am testing a 5520 ASA running 7.2(2) in Transparent mode. I have connected one PC to the inside (security 100) of the ASA, and connected the layer 3 device (non Cisco), which is the default Gateway of this PC, to the outside (security 0) of the ASA. A server is directly connected to the Layer 3 device. All the above are in the same vlan.

PC ---> (inside) ASA (outside) ---> L3 Gateway  ---> Server

I have created two ACLs for the inside and outside interfaces permitting icmp and all IP for test sake.

The problem is that I cannot ping the Server or the L3 gateway from the PC. If I remove the ASA and connect PC directly then everything works fine. Once I reconnect the ASA there will be several Ping replies then I receive destination unreachable, although everything is in a single VLAN. 

Is the ASA interfering with broadcast traffic between the PC and its Gateway, although Transparent mode should allow this?  I have tried to add icmp inspect and also removed all inspection policies but still no result.  

All help is appreciated.

 

 

 

Labels:
0 Helpful
5 Replies 5

Rajneesh Dhiman
Level 1
Level 1

ā€Ž10-14-2015 09:04 AM

Hi Mo,

 

In transparent mode of Firewall, you needs to create 2 Vlans (1 for Inside and 1 for outside). Then create bridge group of the vlans (in/out).

Example: Configuration on Inside/outside interfaces:

interface GigabitEthernet0/0

    vlan 10
    nameif inside
    bridge-group 1
    security-level 100

interface GigabitEthernet0/1

    vlan 20
    nameif outside
    bridge-group 1
    security-level 0

Now please configure "BVI" interface in Firewall with one IP from the same IP Subnet for which you want to pass traffic through firewall:


interface BVI1

ip address 192.168.10.9 255.255.255.0 standby 192.168.10.10  (any free IP can be assigned from subnet)

Your layer 3 device should have same "interface Vlan" number as of Firewall Outside Inetrface vlan number (vlan 20 in this example).


Now, please allow interested traffic on ouside Interface via access-list. This will allow traffic through transparent firewall.

Hope this helps !!

 

Regards

Rajneesh

mo shea
Level 1
Level 1
In response to Rajneesh Dhiman

ā€Ž10-14-2015 09:12 AM

Thanks Rajneesh for the explanation. 

 

Is the brdige-group required for ASA running 7.2(2) code, I thought this was introduced for 8.4 and later.

 

Regards,

 

Moe

0 Helpful

Rajneesh Dhiman
Level 1
Level 1
In response to mo shea

ā€Ž10-14-2015 09:40 AM

Hi Moe,

Sorry. You are right. Bridge group feature support on higher version. Please go through below link, this may help.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa72/configuration/guide/conf_gd/fwmode.html#wp1201980

 

Regards

Rajneesh

0 Helpful

mo shea
Level 1
Level 1
In response to Rajneesh Dhiman

ā€Ž10-14-2015 07:17 PM

I haven't found a solution yet. I thought it should be pretty straightforward. Is any static route required or perhaps some bug in 7.2(2) code ?? 

0 Helpful

Andre Neethling
Level 4
Level 4
In response to mo shea

ā€Ž10-14-2015 09:08 PM

can you show the ACL you have on both interfaces? Have you tried to connect to the server with any other protocol besides ICMP? Did you check your log to see why the traffic is not allowed?

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card