cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1189
Views
0
Helpful
7
Replies

Upgrading from 8.4 to 9.1 issues (Transparent firewall)

xaeniac
Level 1
Level 1

Firewall is in transparent mode.  At this time permit any any on trust to untrust and untrust to trust.  It works great in 8.4;  when I update the version to 9.1 it blocks all traffic yet nothing shows up in the monitoring mode.  Downgrade to 8.4 and all is fine again.  This is the simplest setup at this time and have it running in a lab.  ICMP is blocked.  All traffic is blocked and only occurs in 9.1

1 Accepted Solution

Accepted Solutions

Hello,

Can you add

fixup protocol icmp

then try to ping to 4.2.2.2 from a trusted host and post the logs,

regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

7 Replies 7

Julio Carvajal
VIP Alumni
VIP Alumni

Hello.

Can you share the configuration while being on 9.1

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Saved

:

ASA Version 9.1(1)

!

firewall transparent

<--- More --->

hostname ciscoasa

enable password

xlate per-session deny tcp any4 any4

xlate per-session deny tcp any4 any6

xlate per-session deny tcp any6 any4

xlate per-session deny tcp any6 any6

xlate per-session deny udp any4 any4 eq domain

xlate per-session deny udp any4 any6 eq domain

xlate per-session deny udp any6 any4 eq domain

xlate per-session deny udp any6 any6 eq domain

passwd

names

!

interface Ethernet0/0

nameif TRUSTED

bridge-group 1

security-level 100

!

interface Ethernet0/1

nameif UNTRUSTED

bridge-group 1

security-level 0

!

interface Ethernet0/2

<--- More --->

shutdown

no nameif

no security-level

!

interface Ethernet0/3

shutdown

no nameif

no security-level

!

interface Management0/0

management-only

shutdown

nameif MGT

security-level 100

ip address 10.10.10.212 255.255.255.0

!

interface BVI1

ip address 10.10.2.250 255.255.255.0

!

boot system disk0:/asa911-k8.bin

ftp mode passive

object-group network Trusated1

object-group network Untrusted1

object-group network Trusted

<--- More --->

object-group network Untrusted

object-group network Call_MGR

object-group network Trusted2

object-group network Untrusted2

object-group service DM_INLINE_SERVICE_1

service-object ip

object-group service DM_INLINE_SERVICE_2

service-object ip

access-list UNTRUSTED_access_in extended permit ip any any

access-list UNTRUSTED_access_in extended permit ip any4 any4

access-list TRUSTED_access_in extended permit ip any any

pager lines 24

logging enable

logging asdm informational

mtu TRUSTED 1500

mtu UNTRUSTED 1500

mtu MGT 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

access-group TRUSTED_access_in in interface TRUSTED

access-group UNTRUSTED_access_in in interface UNTRUSTED

<--- More --->

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication enable console LOCAL

aaa authentication ssh console LOCAL

http server enable

http 10.10.10.156 255.255.255.255 MGT

http 10.10.10.211 255.255.255.255 MGT

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh 10.10.10.156 255.255.255.255 MGT

ssh timeout 5

console timeout 0

<--- More --->

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

tftp-server MGT 10.10.10.162 C:\asa841-k8.bin

username cisco password privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

<--- More --->

  inspect skinny 

  inspect sunrpc

  inspect xdmcp

  inspect sip 

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

call-home reporting anonymous prompt 1

call-home

profile CiscoTAC-1

  no active

  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService

  destination address email callhome@cisco.com

  destination transport-method http

  subscribe-to-alert-group diagnostic

  subscribe-to-alert-group environment

  subscribe-to-alert-group inventory periodic monthly

  subscribe-to-alert-group configuration periodic monthly

  subscribe-to-alert-group telemetry periodic daily

Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e

: end

Hello,

Can you add

fixup protocol icmp

then try to ping to 4.2.2.2 from a trusted host and post the logs,

regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Sorry;  You do not have the correct answer.  This firewall is in a  closed lab and not on the internet. 

I did I write erase and rebooted on 9.1.  I ensured the firewall was still in transparent, yet I did not see the bvi interface nor the option to create one. 

configure terminal

int bvi1 ( is an unrecognized command in 9.02 and 9.11)

upgrading from 8.4 to 9.02 seems to hold the bvi interface. 

I think we may have found a bug.

Any insights or can someone recreate this?

Hello,

That should not happen, is not that I do not trust you it's just that I have configure it and see it working

Log a session terminal on your favorite terminal app ( Putty, Secure CRT) and then show us the configuration , the mode is running,etc,etc

Regards

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Ok we had to retype firewall transparent and then it took.  It is pinging now on 9.0 2 but not 9.1;  we had to wipe the device to get it to work as the upgrade was not good.

Great to hear that  ithe PING works now

Regards,

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Review Cisco Networking for a $25 gift card