This document describes the configuring steps required to configure ASA in transparent mode instead of routing mode in an existing network.
User is new to ASA's, he got a new asa 5510 (actually a refurb) and need to get it setup into existing network, He read it would be easier to put it in transparent mode than routing mode if you have an existing network and dont wanna redo the whole thing.
Current setup right now is,
internet > cisco leased router(with a set of external ip's from ATT) > juniper ns25( internal set of ip's mipped with the external) > internal network. So far user have put the asa in transparent mode and got the basics configured reading from some of the docs here and even some youtube vids, user read the docs on transparent mode for the ASA's
Question is on the BVI 1, it doesn't allow user to put the same ip range as his internal, it needed a different one like right now user have 192.168.1.1 on it.
Here's running config:
crxasa# sh run ASA Version 9.1(2)8 ! firewall transparent hostname crxasa domain-name domain.com enable password jtiwndTuzIDdTcxA encrypted names ! interface Ethernet0/0 nameif outside security-level 0 ! interface Ethernet0/1 nameif inside security-level 100 ! interface Ethernet0/2 shutdown no nameif no security-level ! interface Ethernet0/3 shutdown no nameif no security-level ! interface Management0/0 management-only nameif management security-level 100 ip address 192.168.1.1 ! interface BVI1 ip address 208.36.7.11 ! boot system disk0:/asa912-8-k8.bin ftp mode passive clock timezone PST -8 clock summer-time PDT recurring dns server-group DefaultDNS domain-name domain.com pager lines 24 logging enable logging asdm informational mtu management 1500 mtu outside 1500 mtu inside 1500 no failover icmp unreachable rate-limit 1 burst-size 1 asdm image disk0:/asdm-714.bin no asdm history enable arp timeout 14400 no arp permit-nonconnected timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy user-identity default-domain LOCAL aaa authentication ssh console LOCAL http server enable http 0.0.0.0 0.0.0.0 management no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart crypto ipsec security-association pmtu-aging infinite crypto ca trustpool policy telnet timeout 5 ssh 0.0.0.0 0.0.0.0 management ssh timeout 5 ssh key-exchange group dh-group1-sha1 console timeout 0 threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept username admin password 571.UcWz1aqKyGh3 encrypted ! class-map inspection_default match default-inspection-traffic ! ! policy-map type inspect dns preset_dns_map parameters message-length maximum client auto message-length maximum 512 policy-map global_policy class inspection_default inspect dns preset_dns_map inspect ftp inspect h323 h225 inspect h323 ras inspect rsh inspect rtsp inspect esmtp inspect sqlnet inspect skinny inspect sunrpc inspect xdmcp inspect sip inspect netbios inspect tftp inspect ip-options ! service-policy global_policy global prompt hostname context no call-home reporting anonymous Cryptochecksum:37fe70a1f301b2adb5136c6fce4ca9de : end
User need to do this over console, what you can do to avoid getting disconnected is the next, when you have a laptop connected to the ASA and not through your network
Reload the ASA, it will come back up with the previous configuration if you saved it; log into the unit and instead of removing the IP address from the interface Management0/0 overwrite it and also remove the IP address from the BVI, folllow this example:
enable config t interface BVI1 no ip address 192.168.1.1 255.255.255.0
enable config t interface Management0/0 ip address 192.168.1.1 255.255.255.0
You will lose connection for a moment but as soon as you reconfigure your LAN adapter to the 192.168.1.0/24 network you should be able to connect.
To reconfigure the BVI to the network that you need:
enable config t interface BVI1 ip address <IP_address> <netmask>