ASA in transparent mode

Posted on 2011-10-23
Medium Priority
Last Modified: 2012-05-12
Hi All,

I've setup my Cisco ASA 5505 in transparent mode. I have a Cisco 1841 connecting to the ISP (DHCP client) and F0/0 for inside. The 1841 is the DHCP server.  I have my ASA 5505 behind the 1841 in transparent mode (Vlan 1 for Outside and Vlan 1 for inside).

The router config is good as when you connect a computer straight to the inside interface I get DHCP and can go to internet, no problems what so ever. But When you're trying to go through ASA isn't not working.

I'm pretty sure if I add a ip any any statement to the access list it will work but having an "ip any any" in a access list is like having no firewall at all.

any help much appriciated. Thank you.

ciscoasa(config)# sh run
: Saved
ASA Version 8.2(4) 
firewall transparent
hostname ciscoasa
enable password zmQ6OnxvsOOEDNAy encrypted
passwd zmQ6OnxvsOOEDNAy encrypted
interface Ethernet0/0
interface Ethernet0/1
 switchport access vlan 2
interface Ethernet0/2
 switchport access vlan 2
interface Ethernet0/3
 switchport access vlan 2
interface Ethernet0/4
 switchport access vlan 2
interface Ethernet0/5
 switchport access vlan 2
interface Ethernet0/6
 switchport access vlan 2
interface Ethernet0/7
 switchport access vlan 2
interface Vlan1
 nameif OUTSIDE
 security-level 0
interface Vlan2
 nameif INSIDE
 security-level 100
ftp mode passive
object-group service DHCP_PORT tcp-udp
 port-object eq 67
 port-object eq 68
access-list DHCP extended permit udp any any object-group DHCP_PORT 
pager lines 24
mtu OUTSIDE 1500
mtu INSIDE 1500
ip address
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group DHCP in interface OUTSIDE
access-group DHCP in interface INSIDE
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
service-policy global_policy global
prompt hostname context 
: end

Open in new window

Question by:M_Perera
  • 3
  • 3
  • 2

Accepted Solution

mlchelp earned 2000 total points
ID: 37015903
you need a access list, in transparent mode it only passes arp without one

See ythis article.

LVL 17

Expert Comment

ID: 37016443

you should delete the access-group on interface inside, just run the following command:

no access-group DHCP in interface INSIDE

then you need a nat on the inside interface:

nat (inside) 1
global (outside) 1 interface

it should work

Author Comment

ID: 37017186
@ max the king

The Nat is done at the 1841 router. Therefore I don't think I need to NAT from the Firewall.

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.


Author Comment

ID: 37017209

"you need a access list, in transparent mode it only passes arp without one", even for traffic originated from inside host? Suppose I opened a browser and typed www.google.com. Isn't this inside to outside? default firewall behavior? Or I still do need a access list in transparent mode?

LVL 17

Expert Comment

ID: 37017216
ok, so you just need to run the command

no access-group DHCP in interface INSIDE

and it should work

Expert Comment

ID: 37017316
according to everythin I have read about transparent mode, yes

Expert Comment

ID: 37017351
From Cisco's guide on setting up transparent mode

"Even though the transparent mode acts as a bridge, Layer 3 traffic, such as IP traffic, cannot pass through the security appliance unless you explicitly permit it with an extended access list. The only traffic allowed through the transparent firewall without an access list is ARP traffic. ARP traffic can be controlled by ARP inspection."


Author Comment

ID: 37018255
Thank you very much everyone.

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
In this blog we highlight approaches to managed security as a service.  We also look into ConnectWise’s value in aiding MSPs’ security management and indicate why critical alerting is a necessary integration.
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses
Course of the Month16 days, 11 hours left to enroll

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question