Cisco Community
English
Register
ANNOUNCEMENT - Upcoming Changes in the email address of Community email notifications - LEARN MORE
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel

Configuring new ASA 5510 in transparent mode.

Labels:
2117
Views
10
Helpful
0
Comments
Anim Saxena
Beginner
‎10-30-2013 12:49 PM
edited on: ‎03-08-2019 ‎06:52 PM

 

Introduction

This document describes the configuring steps required to configure ASA in transparent mode instead of routing mode in an existing network.

Problem

User is new to ASA's, he got a new asa 5510 (actually a refurb) and need to get it setup into existing network, He read it would be easier to put it in transparent mode than routing mode if you have an existing network and dont wanna redo the whole thing.

Current setup right now is,

internet > cisco leased router(with a set of external ip's from ATT) > juniper ns25( internal set of ip's mipped with the external) > internal network. So far user have put the asa in transparent mode and got the basics configured reading from some of the docs here and even some youtube vids, user read the docs on transparent mode for the ASA's

Question is on the BVI 1, it doesn't allow user to put the same ip range as his internal, it needed a different one like right now user have 192.168.1.1 on it.

 

Here's running config:

 

crxasa# sh run

ASA Version 9.1(2)8

!

firewall transparent

hostname crxasa

domain-name domain.com

enable password jtiwndTuzIDdTcxA encrypted


names

!

interface Ethernet0/0

nameif outside

security-level 0


!


interface Ethernet0/1

nameif inside

security-level 100


!


interface Ethernet0/2

shutdown

no nameif

no security-level


!

interface Ethernet0/3

shutdown

no nameif

no security-level


!


interface Management0/0

management-only

nameif management

security-level 100


ip address 192.168.1.1


!


interface BVI1

ip address 208.36.7.11

!

boot system disk0:/asa912-8-k8.bin

ftp mode passive

clock timezone PST -8

clock summer-time PDT recurring

dns server-group DefaultDNS

domain-name domain.com

pager lines 24

logging enable

logging asdm informational

mtu management 1500

mtu outside 1500

mtu inside 1500

no failover

icmp unreachable rate-limit 1 burst-size 1

asdm image disk0:/asdm-714.bin

no asdm history enable

arp timeout 14400

no arp permit-nonconnected

timeout xlate 3:00:00

timeout pat-xlate 0:00:30

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00


dynamic-access-policy-record DfltAccessPolicy

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

http server enable

http 0.0.0.0 0.0.0.0 management

no snmp-server location

no snmp-server contact

snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart

crypto ipsec security-association pmtu-aging infinite

crypto ca trustpool policy

telnet timeout 5

ssh 0.0.0.0 0.0.0.0 management

ssh timeout 5

ssh key-exchange group dh-group1-sha1

console timeout 0

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept


username admin password 571.UcWz1aqKyGh3 encrypted


!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512


policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:37fe70a1f301b2adb5136c6fce4ca9de

: end

Solution

User need to do this over console, what you can do to  avoid getting disconnected is the next, when you have a laptop connected to the ASA and not through your network

Reload the ASA, it will come back up with the previous  configuration if you saved it; log into the unit and instead of  removing the IP address from the interface Management0/0 overwrite it  and also remove the IP address from the BVI, folllow this example:

enable

config t

interface BVI1

no ip address 192.168.1.1 255.255.255.0

 

enable

config t

interface Management0/0

ip address  192.168.1.1 255.255.255.0

You will lose connection for a moment but as soon as  you reconfigure your LAN adapter to the 192.168.1.0/24 network you  should be able to connect.

To reconfigure the BVI to the network that you need:

enable

config t

interface BVI1

ip address <IP_address> <netmask>

Source Discussion

Config of new ASA 5510 transparent mode

Latest Contents
getPeersByRole: unable to connect to db at /usr/local/sf/lib...
Created by kostasthedelegate on 07-05-2020 01:22 AM
1
0
1
0
Hello,  I stumbled upon this error when trying to add FMC as manager to the SFRgetPeersByRole: unable to connect to db at /usr/local/sf/lib/perl/5.10.1/SF/PeerManager/Peers.pm line 18 The situation is as follows:I upgraded the ASA. The... view more
Healh Check on WSA
Created by geeyc5113 on 07-04-2020 05:07 PM
0
0
0
0
Hi Guys, I am new in WSA.  I would like to ask for your advise on WSA healcheck.  Usually what info do we capture for the healthcheck?  Are all capture from GUI or some from Cli?  If from Cli, is there any command? And also c... view more
Use of Custom Fields in ISE Guest Types
Created by pacavell on 07-04-2020 10:06 AM
0
0
0
0
In ISE Portals and Components you have the ability to modify the various Guest Type settings. One option is to add custom fields to collect additional data from the guest when they access a guest portal. What can be done with these additional fields? Can ... view more
Cisco cisco ISR4431/K9 Cisco IOS XE Software, Version 16.08....
Created by john-serink on 07-04-2020 07:11 AM
1
0
1
0
Hello: I have the above mentioned router and am attempting to configure it to bring up an L2TP/IPSec connection with a windows client.It completes phase 1 fine but fails the phase 2 negotiation stating the transforms don't match but it seems that the... view more
COVID-19 Anyconnect For ASA-SM
Created by Manwë Sulimo on 07-04-2020 02:41 AM
5
0
5
0
Hi everyoneFirst of all i hope you all are safe from this pandemic.I saw following link about "Emergency COVID-19 AnyConnect License". would you please anyone confirm this procedure is working for multiple context ASA-SM also? and what part numbers s... view more
CreatePlease to create content
Discussion
Blog
Document
Video
Content for Community-Ad
Cisco Community April 2020 Spotlight Award Winners

Follow our Social Media Channels