03-20-2013 07:20 AM - edited 03-11-2019 06:16 PM
Firewall is in transparent mode. At this time permit any any on trust to untrust and untrust to trust. It works great in 8.4; when I update the version to 9.1 it blocks all traffic yet nothing shows up in the monitoring mode. Downgrade to 8.4 and all is fine again. This is the simplest setup at this time and have it running in a lab. ICMP is blocked. All traffic is blocked and only occurs in 9.1
Solved! Go to Solution.
04-01-2013 10:31 AM
Hello,
Can you add
fixup protocol icmp
then try to ping to 4.2.2.2 from a trusted host and post the logs,
regards,
03-20-2013 12:31 PM
Hello.
Can you share the configuration while being on 9.1
04-01-2013 07:29 AM
Saved
:
ASA Version 9.1(1)
!
firewall transparent
<--- More --->
hostname ciscoasa
enable password
xlate per-session deny tcp any4 any4
xlate per-session deny tcp any4 any6
xlate per-session deny tcp any6 any4
xlate per-session deny tcp any6 any6
xlate per-session deny udp any4 any4 eq domain
xlate per-session deny udp any4 any6 eq domain
xlate per-session deny udp any6 any4 eq domain
xlate per-session deny udp any6 any6 eq domain
passwd
names
!
interface Ethernet0/0
nameif TRUSTED
bridge-group 1
security-level 100
!
interface Ethernet0/1
nameif UNTRUSTED
bridge-group 1
security-level 0
!
interface Ethernet0/2
<--- More --->
shutdown
no nameif
no security-level
!
interface Ethernet0/3
shutdown
no nameif
no security-level
!
interface Management0/0
management-only
shutdown
nameif MGT
security-level 100
ip address 10.10.10.212 255.255.255.0
!
interface BVI1
ip address 10.10.2.250 255.255.255.0
!
boot system disk0:/asa911-k8.bin
ftp mode passive
object-group network Trusated1
object-group network Untrusted1
object-group network Trusted
<--- More --->
object-group network Untrusted
object-group network Call_MGR
object-group network Trusted2
object-group network Untrusted2
object-group service DM_INLINE_SERVICE_1
service-object ip
object-group service DM_INLINE_SERVICE_2
service-object ip
access-list UNTRUSTED_access_in extended permit ip any any
access-list UNTRUSTED_access_in extended permit ip any4 any4
access-list TRUSTED_access_in extended permit ip any any
pager lines 24
logging enable
logging asdm informational
mtu TRUSTED 1500
mtu UNTRUSTED 1500
mtu MGT 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
access-group TRUSTED_access_in in interface TRUSTED
access-group UNTRUSTED_access_in in interface UNTRUSTED
<--- More --->
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 10.10.10.156 255.255.255.255 MGT
http 10.10.10.211 255.255.255.255 MGT
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 10.10.10.156 255.255.255.255 MGT
ssh timeout 5
console timeout 0
<--- More --->
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
tftp-server MGT 10.10.10.162 C:\asa841-k8.bin
username cisco password
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
<--- More --->
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
call-home reporting anonymous prompt 1
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: end
04-01-2013 10:31 AM
Hello,
Can you add
fixup protocol icmp
then try to ping to 4.2.2.2 from a trusted host and post the logs,
regards,
04-03-2013 12:49 PM
Sorry; You do not have the correct answer. This firewall is in a closed lab and not on the internet.
I did I write erase and rebooted on 9.1. I ensured the firewall was still in transparent, yet I did not see the bvi interface nor the option to create one.
configure terminal
int bvi1 ( is an unrecognized command in 9.02 and 9.11)
upgrading from 8.4 to 9.02 seems to hold the bvi interface.
I think we may have found a bug.
Any insights or can someone recreate this?
04-03-2013 01:18 PM
Hello,
That should not happen, is not that I do not trust you it's just that I have configure it and see it working
Log a session terminal on your favorite terminal app ( Putty, Secure CRT) and then show us the configuration , the mode is running,etc,etc
Regards
04-03-2013 01:54 PM
Ok we had to retype firewall transparent and then it took. It is pinging now on 9.0 2 but not 9.1; we had to wipe the device to get it to work as the upgrade was not good.
04-03-2013 02:03 PM
Great to hear that ithe PING works now
Regards,
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide