04-25-2013 01:50 PM - edited 03-11-2019 06:35 PM
Hi everyone,
I was reading about transparent FW it says
Unlike a transparent switch, however, the device will not flood frames out interfaces for an unknown MAC address destination. Instead the ASA will respond with an ARP request for a directly connected device. If the destination is remote, the ASA will attempt to ping the remote device.
Question
How ASA will ping the remote device will it ping by static route config on ASA ?
Say we have transparent FW between 2 switches and one side say switch1 has a server is connected to it.
How ASA will ping this server?
Now we can say this server as remote device if it is on different subnet then the ASA interface?
Seems ASA will have mac address of directly connected inetrfaces.
Thanks
Mahesh
Solved! Go to Solution.
04-25-2013 09:22 PM
Hello Mahesh,
How ASA will ping the remote device will it ping by static route config on ASA ?
Exactly, that is why you need a route on your ASA, The ASA needs to know where it's default gateway is
Say we have transparent FW between 2 switches and one side say switch1 has a server is connected to it.
How ASA will ping this server?
Based on it's ARP table
Regards,
04-25-2013 09:23 PM
If the server it's on a different broadcast domain, then the firewall now the traffic must go to the Default gateway
Regards
04-26-2013 07:48 AM
Hi,
I actually configured one of my ASA5505 as Transparent last night and tested it abit.
I had NO default route on the ASA5505 and the connections from the host behind the Transparent firewall worked just fine. Though I didnt use any management connection to the ASA other than console cable.
I guess for remote management connections and certain traffic originated by the ASA itself, the default route is needed BUT not for the actual host traffic through the ASA. The host already has a default gateway configured and it will ARP for its MAC address through the Transparent ASA and already knows where to forward the traffic to reach the remote host. ASA just has to determine where to forward the traffic.
I enabled several debugs on the ASA and it would indeed seem that when the ASA still has absoletely no knowledge of MAC address behind its "inside" or "outside" it will at the start use Traceroute.
I will post the debugs shortly.
EDIT: Debugs
L2-FIREWALL(config)# sh debug
debug l2-indication enabled at level 255
debug mac-address-table enabled at level 255
debug arp-inspection enabled at level 255
debug icmp trace enabled at level 255
debug arp enabled at level 1
I first issued a "clear mac-address-table" and after that I initiated ICMP Echo to a remote network.
My IP addresses were
f1_tf_process_l2_learn:learn indication , cur_ifc inside, new_ifc inside
mac_address: 1cc1.debe.80c5
add_l2fwd_entry: Going to add MAC 1cc1.debe.80c5.
add_l2fwd_entry: Added MAC 1cc1.debe.80c5 into bridge table thru inside.
add_l2fwd_entry: Sending LU to add MAC 1cc1.debe.80c5.
f1_tf_process_l2_miss:MISS indication ip address 165a8c0, Vlan: 1,mac_address aca0.1679.6d1b
MISS IND: Skipping learning for same interface
f1_tf_process_l2_miss:IP address belongs to differentsubnet. Sending ICMP traceroute
icmp_mktracert: Block allocated
ICMP echo request from 192.168.103.2 to 192.168.101.1 ID=4388 seq=0 len=32
f1_tf_process_l2_learn:learn indication , cur_ifc outside, new_ifc outside
mac_address: aca0.1679.6d1b
add_l2fwd_entry: Going to add MAC aca0.1679.6d1b.
add_l2fwd_entry: Added MAC aca0.1679.6d1b into bridge table thru outside.
add_l2fwd_entry: Sending LU to add MAC aca0.1679.6d1b.
ICMP echo reply from 192.168.101.1 to 192.168.103.2 ID=4388 seq=0 len=32
ICMP echo request from inside:192.168.103.3 to outside:192.168.101.1 ID=1 seq=244 len=32
ICMP echo reply from outside:192.168.101.1 to inside:192.168.103.3 ID=1 seq=244 len=32
ICMP echo request from inside:192.168.103.3 to outside:192.168.101.1 ID=1 seq=245 len=32
ICMP echo reply from outside:192.168.101.1 to inside:192.168.103.3 ID=1 seq=245 len=32
ICMP echo request from inside:192.168.103.3 to outside:192.168.101.1 ID=1 seq=246 len=32
ICMP echo reply from outside:192.168.101.1 to inside:192.168.103.3 ID=1 seq=246 len=32
- Jouni
04-26-2013 08:38 AM
Hi,
Here is also an ouput of when the Transparent ASA is with an empty MAC address table and the LAN host initiates ICMP Echo to the gateway IP address
f1_tf_process_l2_miss:MISS indication ip address 167a8c0, Vlan: 1,mac_address aca0.1679.6d1b
MISS IND: IP address belongs to samesubnet. Sending ARP request
arp-send: arp request built from 192.168.103.2 30e4.dbd8.f544 for 192.168.103.1 at 2200460
MISS IND: IP address belongs to samesubnet. Sending ARP request
arp-send: arp request built from 192.168.103.2 30e4.dbd8.f545 for 192.168.103.1 at 2200460
f1_tf_process_l2_learn:learn indication , cur_ifc outside, new_ifc outside
mac_address: aca0.1679.6d1b
add_l2fwd_entry: Going to add MAC aca0.1679.6d1b.
add_l2fwd_entry: Added MAC aca0.1679.6d1b into bridge table thru outside.
add_l2fwd_entry: Sending LU to add MAC aca0.1679.6d1b.
arp-in: response at outside from 192.168.103.1 aca0.1679.6d1b for 192.168.103.2 30e4.dbd8.f545
arp-set: added arp outside 192.168.103.1 aca0.1679.6d1b and updating NPs at 2200460
set_l2: Found MAC entry aca0.1679.6d1b on outside.
arp-in: resp from 192.168.103.1 for 192.168.103.2 on outside at 2200460
arp_in_forward: Forwarding arp request from 192.168.103.3 to 192.168.103.1 smac 1cc1.debe.80c5
set_l2: Found MAC entry 1cc1.debe.80c5 on inside.
learn_and_forward_arp_request: Forwarding arp request to outside
arp-set: added arp outside 192.168.103.1 aca0.1679.6d1b and updating NPs at 2205200
arp_in_forward: Forwarding arp resp from 192.168.103.1 to 192.168.103.3 smac aca0.1679.6d1b dmac 1cc1.debe.80c5
set_l2: Found MAC entry aca0.1679.6d1b on outside.
learn_and_forward_arp_response: Forwarding arp response to inside.
ICMP echo request from inside:192.168.103.3 to outside:192.168.103.1 ID=1 seq=250 len=32
ICMP echo reply from outside:192.168.103.1 to inside:192.168.103.3 ID=1 seq=250 len=32
ICMP echo request from inside:192.168.103.3 to outside:192.168.103.1 ID=1 seq=251 len=32
ICMP echo reply from outside:192.168.103.1 to inside:192.168.103.3 ID=1 seq=251 len=32
ICMP echo request from inside:192.168.103.3 to outside:192.168.103.1 ID=1 seq=252 len=32
ICMP echo reply from outside:192.168.103.1 to inside:192.168.103.3 ID=1 seq=252 len=32
. Jouni
04-26-2013 10:26 AM
Hi,
From what I quickly read it seems to me that with ASA5505 "bridge-group" and "interface BVI" configurations only came in the newer 8.4 softwares. This test ASA is running 8.2
This is the complete configuration of the Transparent ASA at the moment
ASA Version 8.2(1)
!
firewall transparent
hostname L2-FIREWALL
names
!
interface Vlan1
nameif inside
security-level 100
!
interface Vlan2
nameif outside
security-level 0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
shutdown
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
!
boot system disk0:/asa821-k8.bin
ftp mode passive
pager lines 24
logging enable
logging buffered informational
logging asdm informational
mtu inside 1500
mtu outside 1500
ip address 192.168.103.2 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
prompt hostname context
- Jouni
04-25-2013 09:22 PM
Hello Mahesh,
How ASA will ping the remote device will it ping by static route config on ASA ?
Exactly, that is why you need a route on your ASA, The ASA needs to know where it's default gateway is
Say we have transparent FW between 2 switches and one side say switch1 has a server is connected to it.
How ASA will ping this server?
Based on it's ARP table
Regards,
04-25-2013 09:23 PM
If the server it's on a different broadcast domain, then the firewall now the traffic must go to the Default gateway
Regards
04-26-2013 07:42 AM
Hi Julio,
Thanks again for answering the post.
Regards
Mahesh
04-26-2013 07:48 AM
Hi,
I actually configured one of my ASA5505 as Transparent last night and tested it abit.
I had NO default route on the ASA5505 and the connections from the host behind the Transparent firewall worked just fine. Though I didnt use any management connection to the ASA other than console cable.
I guess for remote management connections and certain traffic originated by the ASA itself, the default route is needed BUT not for the actual host traffic through the ASA. The host already has a default gateway configured and it will ARP for its MAC address through the Transparent ASA and already knows where to forward the traffic to reach the remote host. ASA just has to determine where to forward the traffic.
I enabled several debugs on the ASA and it would indeed seem that when the ASA still has absoletely no knowledge of MAC address behind its "inside" or "outside" it will at the start use Traceroute.
I will post the debugs shortly.
EDIT: Debugs
L2-FIREWALL(config)# sh debug
debug l2-indication enabled at level 255
debug mac-address-table enabled at level 255
debug arp-inspection enabled at level 255
debug icmp trace enabled at level 255
debug arp enabled at level 1
I first issued a "clear mac-address-table" and after that I initiated ICMP Echo to a remote network.
My IP addresses were
f1_tf_process_l2_learn:learn indication , cur_ifc inside, new_ifc inside
mac_address: 1cc1.debe.80c5
add_l2fwd_entry: Going to add MAC 1cc1.debe.80c5.
add_l2fwd_entry: Added MAC 1cc1.debe.80c5 into bridge table thru inside.
add_l2fwd_entry: Sending LU to add MAC 1cc1.debe.80c5.
f1_tf_process_l2_miss:MISS indication ip address 165a8c0, Vlan: 1,mac_address aca0.1679.6d1b
MISS IND: Skipping learning for same interface
f1_tf_process_l2_miss:IP address belongs to differentsubnet. Sending ICMP traceroute
icmp_mktracert: Block allocated
ICMP echo request from 192.168.103.2 to 192.168.101.1 ID=4388 seq=0 len=32
f1_tf_process_l2_learn:learn indication , cur_ifc outside, new_ifc outside
mac_address: aca0.1679.6d1b
add_l2fwd_entry: Going to add MAC aca0.1679.6d1b.
add_l2fwd_entry: Added MAC aca0.1679.6d1b into bridge table thru outside.
add_l2fwd_entry: Sending LU to add MAC aca0.1679.6d1b.
ICMP echo reply from 192.168.101.1 to 192.168.103.2 ID=4388 seq=0 len=32
ICMP echo request from inside:192.168.103.3 to outside:192.168.101.1 ID=1 seq=244 len=32
ICMP echo reply from outside:192.168.101.1 to inside:192.168.103.3 ID=1 seq=244 len=32
ICMP echo request from inside:192.168.103.3 to outside:192.168.101.1 ID=1 seq=245 len=32
ICMP echo reply from outside:192.168.101.1 to inside:192.168.103.3 ID=1 seq=245 len=32
ICMP echo request from inside:192.168.103.3 to outside:192.168.101.1 ID=1 seq=246 len=32
ICMP echo reply from outside:192.168.101.1 to inside:192.168.103.3 ID=1 seq=246 len=32
- Jouni
04-26-2013 08:38 AM
Hi,
Here is also an ouput of when the Transparent ASA is with an empty MAC address table and the LAN host initiates ICMP Echo to the gateway IP address
f1_tf_process_l2_miss:MISS indication ip address 167a8c0, Vlan: 1,mac_address aca0.1679.6d1b
MISS IND: IP address belongs to samesubnet. Sending ARP request
arp-send: arp request built from 192.168.103.2 30e4.dbd8.f544 for 192.168.103.1 at 2200460
MISS IND: IP address belongs to samesubnet. Sending ARP request
arp-send: arp request built from 192.168.103.2 30e4.dbd8.f545 for 192.168.103.1 at 2200460
f1_tf_process_l2_learn:learn indication , cur_ifc outside, new_ifc outside
mac_address: aca0.1679.6d1b
add_l2fwd_entry: Going to add MAC aca0.1679.6d1b.
add_l2fwd_entry: Added MAC aca0.1679.6d1b into bridge table thru outside.
add_l2fwd_entry: Sending LU to add MAC aca0.1679.6d1b.
arp-in: response at outside from 192.168.103.1 aca0.1679.6d1b for 192.168.103.2 30e4.dbd8.f545
arp-set: added arp outside 192.168.103.1 aca0.1679.6d1b and updating NPs at 2200460
set_l2: Found MAC entry aca0.1679.6d1b on outside.
arp-in: resp from 192.168.103.1 for 192.168.103.2 on outside at 2200460
arp_in_forward: Forwarding arp request from 192.168.103.3 to 192.168.103.1 smac 1cc1.debe.80c5
set_l2: Found MAC entry 1cc1.debe.80c5 on inside.
learn_and_forward_arp_request: Forwarding arp request to outside
arp-set: added arp outside 192.168.103.1 aca0.1679.6d1b and updating NPs at 2205200
arp_in_forward: Forwarding arp resp from 192.168.103.1 to 192.168.103.3 smac aca0.1679.6d1b dmac 1cc1.debe.80c5
set_l2: Found MAC entry aca0.1679.6d1b on outside.
learn_and_forward_arp_response: Forwarding arp response to inside.
ICMP echo request from inside:192.168.103.3 to outside:192.168.103.1 ID=1 seq=250 len=32
ICMP echo reply from outside:192.168.103.1 to inside:192.168.103.3 ID=1 seq=250 len=32
ICMP echo request from inside:192.168.103.3 to outside:192.168.103.1 ID=1 seq=251 len=32
ICMP echo reply from outside:192.168.103.1 to inside:192.168.103.3 ID=1 seq=251 len=32
ICMP echo request from inside:192.168.103.3 to outside:192.168.103.1 ID=1 seq=252 len=32
ICMP echo reply from outside:192.168.103.1 to inside:192.168.103.3 ID=1 seq=252 len=32
. Jouni
04-26-2013 09:17 AM
Hi jouni,
I was thinking to test this in my home lab on the weekend.But you already tested it.
currently i ahve 1 ASA thinking to get another 5505 with security plus to learn more.
When you did this test did you assign IP 192.168.103.2 ASA5505 to BVI interface ?
Thanks
Mahesh
04-26-2013 10:26 AM
Hi,
From what I quickly read it seems to me that with ASA5505 "bridge-group" and "interface BVI" configurations only came in the newer 8.4 softwares. This test ASA is running 8.2
This is the complete configuration of the Transparent ASA at the moment
ASA Version 8.2(1)
!
firewall transparent
hostname L2-FIREWALL
names
!
interface Vlan1
nameif inside
security-level 100
!
interface Vlan2
nameif outside
security-level 0
!
interface Ethernet0/0
switchport access vlan 2
!
interface Ethernet0/1
shutdown
!
interface Ethernet0/2
shutdown
!
interface Ethernet0/3
shutdown
!
interface Ethernet0/4
shutdown
!
interface Ethernet0/5
shutdown
!
interface Ethernet0/6
shutdown
!
interface Ethernet0/7
!
boot system disk0:/asa821-k8.bin
ftp mode passive
pager lines 24
logging enable
logging buffered informational
logging asdm informational
mtu inside 1500
mtu outside 1500
ip address 192.168.103.2 255.255.255.0
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect icmp
!
service-policy global_policy global
prompt hostname context
- Jouni
04-26-2013 05:29 PM
Hi jouni,
Thanks for putting your config here.
It has given me something to start with.
Mahesh
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide