Introduction
This document describes the configuring steps required to configure ASA in transparent mode instead of routing mode in an existing network.
Problem
User is new to ASA's, he got a new asa 5510 (actually a refurb) and need to get it setup into existing network, He read it would be easier to put it in transparent mode than routing mode if you have an existing network and dont wanna redo the whole thing.
Current setup right now is,
internet > cisco leased router(with a set of external ip's from ATT) > juniper ns25( internal set of ip's mipped with the external) > internal network. So far user have put the asa in transparent mode and got the basics configured reading from some of the docs here and even some youtube vids, user read the docs on transparent mode for the ASA's
Question is on the BVI 1, it doesn't allow user to put the same ip range as his internal, it needed a different one like right now user have 192.168.1.1 on it.
Here's running config:
crxasa# sh run
ASA Version 9.1(2)8
!
firewall transparent
hostname crxasa
domain-name domain.com
enable password jtiwndTuzIDdTcxA encrypted
names
!
interface Ethernet0/0
nameif outside
security-level 0
!
interface Ethernet0/1
nameif inside
security-level 100
!
interface Ethernet0/2
shutdown
no nameif
no security-level
!
interface Ethernet0/3
shutdown
no nameif
no security-level
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 192.168.1.1
!
interface BVI1
ip address 208.36.7.11
!
boot system disk0:/asa912-8-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
domain-name domain.com
pager lines 24
logging enable
logging asdm informational
mtu management 1500
mtu outside 1500
mtu inside 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-714.bin
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 management
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 management
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
username admin password 571.UcWz1aqKyGh3 encrypted
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:37fe70a1f301b2adb5136c6fce4ca9de
: end
Solution
User need to do this over console, what you can do to avoid getting disconnected is the next, when you have a laptop connected to the ASA and not through your network
Reload the ASA, it will come back up with the previous configuration if you saved it; log into the unit and instead of removing the IP address from the interface Management0/0 overwrite it and also remove the IP address from the BVI, folllow this example:
enable
config t
interface BVI1
no ip address 192.168.1.1 255.255.255.0
enable
config t
interface Management0/0
ip address 192.168.1.1 255.255.255.0
You will lose connection for a moment but as soon as you reconfigure your LAN adapter to the 192.168.1.0/24 network you should be able to connect.
To reconfigure the BVI to the network that you need:
enable
config t
interface BVI1
ip address <IP_address> <netmask>
Source Discussion
Config of new ASA 5510 transparent mode