Solved: Transparent FW and pinging to remote device

mahesh18 · ‎04-25-2013

Hi everyone,

I was reading about transparent FW it says

Unlike a transparent switch, however, the device will not flood frames out interfaces for an unknown MAC address destination. Instead the ASA will respond with an ARP request for a directly connected device. If the destination is remote, the ASA will attempt to ping the remote device.

Question

How ASA will ping the remote device will it ping by static route config on ASA ?

Say we have transparent FW between 2 switches and one side say switch1 has a server is connected to it.

How ASA will ping this server?

Now we can say this server as remote device if it is on different subnet then the ASA interface?

Seems ASA will have mac address of directly connected inetrfaces.

Thanks

Mahesh

Julio Carvajal · ‎04-25-2013

Hello Mahesh,

How ASA will ping the remote device will it ping by static route config on ASA ?

Exactly, that is why you need a route on your ASA, The ASA needs to know where it's default gateway is

Say we have transparent FW between 2 switches and one side say switch1 has a server is connected to it.

How ASA will ping this server?

Based on it's ARP table

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Julio Carvajal · ‎04-25-2013

If the server it's on a different broadcast domain, then the firewall now the traffic must go to the Default gateway

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

Jouni Forss · ‎04-26-2013

Hi,

I actually configured one of my ASA5505 as Transparent last night and tested it abit.

I had NO default route on the ASA5505 and the connections from the host behind the Transparent firewall worked just fine. Though I didnt use any management connection to the ASA other than console cable.

I guess for remote management connections and certain traffic originated by the ASA itself, the default route is needed BUT not for the actual host traffic through the ASA. The host already has a default gateway configured and it will ARP for its MAC address through the Transparent ASA and already knows where to forward the traffic to reach the remote host. ASA just has to determine where to forward the traffic.

I enabled several debugs on the ASA and it would indeed seem that when the ASA still has absoletely no knowledge of MAC address behind its "inside" or "outside" it will at the start use Traceroute.

I will post the debugs shortly.

EDIT: Debugs

L2-FIREWALL(config)# sh debug

debug l2-indication enabled at level 255

debug mac-address-table enabled at level 255

debug arp-inspection enabled at level 255

debug icmp trace enabled at level 255

debug arp enabled at level 1

I first issued a "clear mac-address-table" and after that I initiated ICMP Echo to a remote network.

My IP addresses were

192.168.103.1 Host default gateway - MACaca0.1679.6d1b
192.168.103.2 ASA5505 IP address
192.168.103.3 Host IP address - MAC 1cc1.debe.80c5
192.168.101.1 Remote Host

f1_tf_process_l2_learn:learn indication , cur_ifc inside, new_ifc inside

mac_address: 1cc1.debe.80c5

add_l2fwd_entry: Going to add MAC 1cc1.debe.80c5.

add_l2fwd_entry: Added MAC 1cc1.debe.80c5 into bridge table thru inside.

add_l2fwd_entry: Sending LU to add MAC 1cc1.debe.80c5.

f1_tf_process_l2_miss:MISS indication ip address 165a8c0, Vlan: 1,mac_address aca0.1679.6d1b

MISS IND: Skipping learning for same interface

f1_tf_process_l2_miss:IP address belongs to differentsubnet. Sending ICMP traceroute

icmp_mktracert: Block allocated

ICMP echo request from 192.168.103.2 to 192.168.101.1 ID=4388 seq=0 len=32

f1_tf_process_l2_learn:learn indication , cur_ifc outside, new_ifc outside

mac_address: aca0.1679.6d1b

add_l2fwd_entry: Going to add MAC aca0.1679.6d1b.

add_l2fwd_entry: Added MAC aca0.1679.6d1b into bridge table thru outside.

add_l2fwd_entry: Sending LU to add MAC aca0.1679.6d1b.

ICMP echo reply from 192.168.101.1 to 192.168.103.2 ID=4388 seq=0 len=32

ICMP echo request from inside:192.168.103.3 to outside:192.168.101.1 ID=1 seq=244 len=32

ICMP echo reply from outside:192.168.101.1 to inside:192.168.103.3 ID=1 seq=244 len=32

ICMP echo request from inside:192.168.103.3 to outside:192.168.101.1 ID=1 seq=245 len=32

ICMP echo reply from outside:192.168.101.1 to inside:192.168.103.3 ID=1 seq=245 len=32

ICMP echo request from inside:192.168.103.3 to outside:192.168.101.1 ID=1 seq=246 len=32

ICMP echo reply from outside:192.168.101.1 to inside:192.168.103.3 ID=1 seq=246 len=32

- Jouni

View solution in original post

Jouni Forss · ‎04-26-2013

Hi,

Here is also an ouput of when the Transparent ASA is with an empty MAC address table and the LAN host initiates ICMP Echo to the gateway IP address

f1_tf_process_l2_miss:MISS indication ip address 167a8c0, Vlan: 1,mac_address aca0.1679.6d1b

MISS IND: IP address belongs to samesubnet. Sending ARP request

arp-send: arp request built from 192.168.103.2 30e4.dbd8.f544 for 192.168.103.1 at 2200460

MISS IND: IP address belongs to samesubnet. Sending ARP request

arp-send: arp request built from 192.168.103.2 30e4.dbd8.f545 for 192.168.103.1 at 2200460

f1_tf_process_l2_learn:learn indication , cur_ifc outside, new_ifc outside

mac_address: aca0.1679.6d1b

add_l2fwd_entry: Going to add MAC aca0.1679.6d1b.

add_l2fwd_entry: Added MAC aca0.1679.6d1b into bridge table thru outside.

add_l2fwd_entry: Sending LU to add MAC aca0.1679.6d1b.

arp-in: response at outside from 192.168.103.1 aca0.1679.6d1b for 192.168.103.2 30e4.dbd8.f545

arp-set: added arp outside 192.168.103.1 aca0.1679.6d1b and updating NPs at 2200460

set_l2: Found MAC entry aca0.1679.6d1b on outside.

arp-in: resp from 192.168.103.1 for 192.168.103.2 on outside at 2200460

arp_in_forward: Forwarding arp request from 192.168.103.3 to 192.168.103.1 smac 1cc1.debe.80c5

set_l2: Found MAC entry 1cc1.debe.80c5 on inside.

learn_and_forward_arp_request: Forwarding arp request to outside

arp-set: added arp outside 192.168.103.1 aca0.1679.6d1b and updating NPs at 2205200

arp_in_forward: Forwarding arp resp from 192.168.103.1 to 192.168.103.3 smac aca0.1679.6d1b dmac 1cc1.debe.80c5

set_l2: Found MAC entry aca0.1679.6d1b on outside.

learn_and_forward_arp_response: Forwarding arp response to inside.

ICMP echo request from inside:192.168.103.3 to outside:192.168.103.1 ID=1 seq=250 len=32

ICMP echo reply from outside:192.168.103.1 to inside:192.168.103.3 ID=1 seq=250 len=32

ICMP echo request from inside:192.168.103.3 to outside:192.168.103.1 ID=1 seq=251 len=32

ICMP echo reply from outside:192.168.103.1 to inside:192.168.103.3 ID=1 seq=251 len=32

ICMP echo request from inside:192.168.103.3 to outside:192.168.103.1 ID=1 seq=252 len=32

ICMP echo reply from outside:192.168.103.1 to inside:192.168.103.3 ID=1 seq=252 len=32

. Jouni

View solution in original post

Jouni Forss · ‎04-26-2013

Hi,

From what I quickly read it seems to me that with ASA5505 "bridge-group" and "interface BVI" configurations only came in the newer 8.4 softwares. This test ASA is running 8.2

This is the complete configuration of the Transparent ASA at the moment

ASA Version 8.2(1)

!

firewall transparent

hostname L2-FIREWALL

names

!

interface Vlan1

nameif inside

security-level 100

!

interface Vlan2

nameif outside

security-level 0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

shutdown

!

interface Ethernet0/2

shutdown

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

!

boot system disk0:/asa821-k8.bin

ftp mode passive

pager lines 24

logging enable

logging buffered informational

logging asdm informational

mtu inside 1500

mtu outside 1500

ip address 192.168.103.2 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

!

service-policy global_policy global

prompt hostname context

- Jouni

View solution in original post

Julio Carvajal · ‎04-25-2013

Hello Mahesh,

How ASA will ping the remote device will it ping by static route config on ASA ?

Exactly, that is why you need a route on your ASA, The ASA needs to know where it's default gateway is

Say we have transparent FW between 2 switches and one side say switch1 has a server is connected to it.

How ASA will ping this server?

Based on it's ARP table

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Julio Carvajal · ‎04-25-2013

If the server it's on a different broadcast domain, then the firewall now the traffic must go to the Default gateway

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

mahesh18 · ‎04-26-2013

Hi Julio,

Thanks again for answering the post.

Regards

Mahesh

Jouni Forss · ‎04-26-2013

Hi,

I actually configured one of my ASA5505 as Transparent last night and tested it abit.

I had NO default route on the ASA5505 and the connections from the host behind the Transparent firewall worked just fine. Though I didnt use any management connection to the ASA other than console cable.

I guess for remote management connections and certain traffic originated by the ASA itself, the default route is needed BUT not for the actual host traffic through the ASA. The host already has a default gateway configured and it will ARP for its MAC address through the Transparent ASA and already knows where to forward the traffic to reach the remote host. ASA just has to determine where to forward the traffic.

I enabled several debugs on the ASA and it would indeed seem that when the ASA still has absoletely no knowledge of MAC address behind its "inside" or "outside" it will at the start use Traceroute.

I will post the debugs shortly.

EDIT: Debugs

L2-FIREWALL(config)# sh debug

debug l2-indication enabled at level 255

debug mac-address-table enabled at level 255

debug arp-inspection enabled at level 255

debug icmp trace enabled at level 255

debug arp enabled at level 1

I first issued a "clear mac-address-table" and after that I initiated ICMP Echo to a remote network.

My IP addresses were

192.168.103.1 Host default gateway - MACaca0.1679.6d1b
192.168.103.2 ASA5505 IP address
192.168.103.3 Host IP address - MAC 1cc1.debe.80c5
192.168.101.1 Remote Host

f1_tf_process_l2_learn:learn indication , cur_ifc inside, new_ifc inside

mac_address: 1cc1.debe.80c5

add_l2fwd_entry: Going to add MAC 1cc1.debe.80c5.

add_l2fwd_entry: Added MAC 1cc1.debe.80c5 into bridge table thru inside.

add_l2fwd_entry: Sending LU to add MAC 1cc1.debe.80c5.

f1_tf_process_l2_miss:MISS indication ip address 165a8c0, Vlan: 1,mac_address aca0.1679.6d1b

MISS IND: Skipping learning for same interface

f1_tf_process_l2_miss:IP address belongs to differentsubnet. Sending ICMP traceroute

icmp_mktracert: Block allocated

ICMP echo request from 192.168.103.2 to 192.168.101.1 ID=4388 seq=0 len=32

f1_tf_process_l2_learn:learn indication , cur_ifc outside, new_ifc outside

mac_address: aca0.1679.6d1b

add_l2fwd_entry: Going to add MAC aca0.1679.6d1b.

add_l2fwd_entry: Added MAC aca0.1679.6d1b into bridge table thru outside.

add_l2fwd_entry: Sending LU to add MAC aca0.1679.6d1b.

ICMP echo reply from 192.168.101.1 to 192.168.103.2 ID=4388 seq=0 len=32

ICMP echo request from inside:192.168.103.3 to outside:192.168.101.1 ID=1 seq=244 len=32

ICMP echo reply from outside:192.168.101.1 to inside:192.168.103.3 ID=1 seq=244 len=32

ICMP echo request from inside:192.168.103.3 to outside:192.168.101.1 ID=1 seq=245 len=32

ICMP echo reply from outside:192.168.101.1 to inside:192.168.103.3 ID=1 seq=245 len=32

ICMP echo request from inside:192.168.103.3 to outside:192.168.101.1 ID=1 seq=246 len=32

ICMP echo reply from outside:192.168.101.1 to inside:192.168.103.3 ID=1 seq=246 len=32

- Jouni

Jouni Forss · ‎04-26-2013

Hi,

Here is also an ouput of when the Transparent ASA is with an empty MAC address table and the LAN host initiates ICMP Echo to the gateway IP address

f1_tf_process_l2_miss:MISS indication ip address 167a8c0, Vlan: 1,mac_address aca0.1679.6d1b

MISS IND: IP address belongs to samesubnet. Sending ARP request

arp-send: arp request built from 192.168.103.2 30e4.dbd8.f544 for 192.168.103.1 at 2200460

MISS IND: IP address belongs to samesubnet. Sending ARP request

arp-send: arp request built from 192.168.103.2 30e4.dbd8.f545 for 192.168.103.1 at 2200460

f1_tf_process_l2_learn:learn indication , cur_ifc outside, new_ifc outside

mac_address: aca0.1679.6d1b

add_l2fwd_entry: Going to add MAC aca0.1679.6d1b.

add_l2fwd_entry: Added MAC aca0.1679.6d1b into bridge table thru outside.

add_l2fwd_entry: Sending LU to add MAC aca0.1679.6d1b.

arp-in: response at outside from 192.168.103.1 aca0.1679.6d1b for 192.168.103.2 30e4.dbd8.f545

arp-set: added arp outside 192.168.103.1 aca0.1679.6d1b and updating NPs at 2200460

set_l2: Found MAC entry aca0.1679.6d1b on outside.

arp-in: resp from 192.168.103.1 for 192.168.103.2 on outside at 2200460

arp_in_forward: Forwarding arp request from 192.168.103.3 to 192.168.103.1 smac 1cc1.debe.80c5

set_l2: Found MAC entry 1cc1.debe.80c5 on inside.

learn_and_forward_arp_request: Forwarding arp request to outside

arp-set: added arp outside 192.168.103.1 aca0.1679.6d1b and updating NPs at 2205200

arp_in_forward: Forwarding arp resp from 192.168.103.1 to 192.168.103.3 smac aca0.1679.6d1b dmac 1cc1.debe.80c5

set_l2: Found MAC entry aca0.1679.6d1b on outside.

learn_and_forward_arp_response: Forwarding arp response to inside.

ICMP echo request from inside:192.168.103.3 to outside:192.168.103.1 ID=1 seq=250 len=32

ICMP echo reply from outside:192.168.103.1 to inside:192.168.103.3 ID=1 seq=250 len=32

ICMP echo request from inside:192.168.103.3 to outside:192.168.103.1 ID=1 seq=251 len=32

ICMP echo reply from outside:192.168.103.1 to inside:192.168.103.3 ID=1 seq=251 len=32

ICMP echo request from inside:192.168.103.3 to outside:192.168.103.1 ID=1 seq=252 len=32

ICMP echo reply from outside:192.168.103.1 to inside:192.168.103.3 ID=1 seq=252 len=32

. Jouni

mahesh18 · ‎04-26-2013

Hi jouni,

I was thinking to test this in my home lab on the weekend.But you already tested it.

currently i ahve 1 ASA thinking to get another 5505 with security plus to learn more.

When you did this test did you assign IP 192.168.103.2 ASA5505 to BVI interface ?

Thanks

Mahesh

Jouni Forss · ‎04-26-2013

Hi,

From what I quickly read it seems to me that with ASA5505 "bridge-group" and "interface BVI" configurations only came in the newer 8.4 softwares. This test ASA is running 8.2

This is the complete configuration of the Transparent ASA at the moment

ASA Version 8.2(1)

!

firewall transparent

hostname L2-FIREWALL

names

!

interface Vlan1

nameif inside

security-level 100

!

interface Vlan2

nameif outside

security-level 0

!

interface Ethernet0/0

switchport access vlan 2

!

interface Ethernet0/1

shutdown

!

interface Ethernet0/2

shutdown

!

interface Ethernet0/3

shutdown

!

interface Ethernet0/4

shutdown

!

interface Ethernet0/5

shutdown

!

interface Ethernet0/6

shutdown

!

interface Ethernet0/7

!

boot system disk0:/asa821-k8.bin

ftp mode passive

pager lines 24

logging enable

logging buffered informational

logging asdm informational

mtu inside 1500

mtu outside 1500

ip address 192.168.103.2 255.255.255.0

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

dynamic-access-policy-record DfltAccessPolicy

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet timeout 5

ssh timeout 5

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

!

class-map inspection_default

match default-inspection-traffic

!

policy-map type inspect dns preset_dns_map

parameters

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect icmp

!

service-policy global_policy global

prompt hostname context

- Jouni

mahesh18 · ‎04-26-2013

Hi jouni,

Thanks for putting your config here.

It has given me something to start with.

Mahesh