ASA in transparent mode

Posted on 2011-10-23
Last Modified: 2012-05-12
Hi All,

I've setup my Cisco ASA 5505 in transparent mode. I have a Cisco 1841 connecting to the ISP (DHCP client) and F0/0 for inside. The 1841 is the DHCP server.  I have my ASA 5505 behind the 1841 in transparent mode (Vlan 1 for Outside and Vlan 1 for inside).

The router config is good as when you connect a computer straight to the inside interface I get DHCP and can go to internet, no problems what so ever. But When you're trying to go through ASA isn't not working.

I'm pretty sure if I add a ip any any statement to the access list it will work but having an "ip any any" in a access list is like having no firewall at all.

any help much appriciated. Thank you.

ciscoasa(config)# sh run
: Saved
ASA Version 8.2(4) 
firewall transparent
hostname ciscoasa
enable password zmQ6OnxvsOOEDNAy encrypted
passwd zmQ6OnxvsOOEDNAy encrypted
interface Ethernet0/0
interface Ethernet0/1
 switchport access vlan 2
interface Ethernet0/2
 switchport access vlan 2
interface Ethernet0/3
 switchport access vlan 2
interface Ethernet0/4
 switchport access vlan 2
interface Ethernet0/5
 switchport access vlan 2
interface Ethernet0/6
 switchport access vlan 2
interface Ethernet0/7
 switchport access vlan 2
interface Vlan1
 nameif OUTSIDE
 security-level 0
interface Vlan2
 nameif INSIDE
 security-level 100
ftp mode passive
object-group service DHCP_PORT tcp-udp
 port-object eq 67
 port-object eq 68
access-list DHCP extended permit udp any any object-group DHCP_PORT 
pager lines 24
mtu OUTSIDE 1500
mtu INSIDE 1500
ip address
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group DHCP in interface OUTSIDE
access-group DHCP in interface INSIDE
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
service-policy global_policy global
prompt hostname context 
: end

Open in new window

Question by:M_Perera
    LVL 5

    Accepted Solution

    you need a access list, in transparent mode it only passes arp without one

    See ythis article.

    LVL 14

    Expert Comment


    you should delete the access-group on interface inside, just run the following command:

    no access-group DHCP in interface INSIDE

    then you need a nat on the inside interface:

    nat (inside) 1
    global (outside) 1 interface

    it should work

    Author Comment

    @ max the king

    The Nat is done at the 1841 router. Therefore I don't think I need to NAT from the Firewall.


    Author Comment


    "you need a access list, in transparent mode it only passes arp without one", even for traffic originated from inside host? Suppose I opened a browser and typed Isn't this inside to outside? default firewall behavior? Or I still do need a access list in transparent mode?

    LVL 14

    Expert Comment

    ok, so you just need to run the command

    no access-group DHCP in interface INSIDE

    and it should work
    LVL 5

    Expert Comment

    according to everythin I have read about transparent mode, yes
    LVL 5

    Expert Comment

    From Cisco's guide on setting up transparent mode

    "Even though the transparent mode acts as a bridge, Layer 3 traffic, such as IP traffic, cannot pass through the security appliance unless you explicitly permit it with an extended access list. The only traffic allowed through the transparent firewall without an access list is ARP traffic. ARP traffic can be controlled by ARP inspection."


    Author Comment

    Thank you very much everyone.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    Suggested Solutions

    BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address. There is a new bug in BIND (, affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) thro…
    The use of stolen credentials is a hot commodity this year allowing threat actors to move laterally within the network in order to avoid breach detection.
    In this sixth video of the Xpdf series, we discuss and demonstrate the PDFtoPNG utility, which converts a multi-page PDF file to separate color, grayscale, or monochrome PNG files, creating one PNG file for each page in the PDF. It does this via a c…
    This video discusses moving either the default database or any database to a new volume.

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now