ASA in transparent mode

Hi All,

I've setup my Cisco ASA 5505 in transparent mode. I have a Cisco 1841 connecting to the ISP (DHCP client) and F0/0 for inside. The 1841 is the DHCP server.  I have my ASA 5505 behind the 1841 in transparent mode (Vlan 1 for Outside and Vlan 1 for inside).

The router config is good as when you connect a computer straight to the inside interface I get DHCP and can go to internet, no problems what so ever. But When you're trying to go through ASA isn't not working.

I'm pretty sure if I add a ip any any statement to the access list it will work but having an "ip any any" in a access list is like having no firewall at all.

any help much appriciated. Thank you.

ciscoasa(config)# sh run
: Saved
ASA Version 8.2(4) 
firewall transparent
hostname ciscoasa
enable password zmQ6OnxvsOOEDNAy encrypted
passwd zmQ6OnxvsOOEDNAy encrypted
interface Ethernet0/0
interface Ethernet0/1
 switchport access vlan 2
interface Ethernet0/2
 switchport access vlan 2
interface Ethernet0/3
 switchport access vlan 2
interface Ethernet0/4
 switchport access vlan 2
interface Ethernet0/5
 switchport access vlan 2
interface Ethernet0/6
 switchport access vlan 2
interface Ethernet0/7
 switchport access vlan 2
interface Vlan1
 nameif OUTSIDE
 security-level 0
interface Vlan2
 nameif INSIDE
 security-level 100
ftp mode passive
object-group service DHCP_PORT tcp-udp
 port-object eq 67
 port-object eq 68
access-list DHCP extended permit udp any any object-group DHCP_PORT 
pager lines 24
mtu OUTSIDE 1500
mtu INSIDE 1500
ip address
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
access-group DHCP in interface OUTSIDE
access-group DHCP in interface INSIDE
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
dynamic-access-policy-record DfltAccessPolicy
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet timeout 5
ssh timeout 5
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
class-map inspection_default
 match default-inspection-traffic
policy-map type inspect dns preset_dns_map
  message-length maximum client auto
  message-length maximum 512
policy-map global_policy
 class inspection_default
  inspect dns preset_dns_map 
  inspect ftp 
  inspect h323 h225 
  inspect h323 ras 
  inspect rsh 
  inspect rtsp 
  inspect esmtp 
  inspect sqlnet 
  inspect skinny  
  inspect sunrpc 
  inspect xdmcp 
  inspect sip  
  inspect netbios 
  inspect tftp 
  inspect ip-options 
service-policy global_policy global
prompt hostname context 
: end

Open in new window

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

you need a access list, in transparent mode it only passes arp without one

See ythis article.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial

you should delete the access-group on interface inside, just run the following command:

no access-group DHCP in interface INSIDE

then you need a nat on the inside interface:

nat (inside) 1
global (outside) 1 interface

it should work
M_PereraAuthor Commented:
@ max the king

The Nat is done at the 1841 router. Therefore I don't think I need to NAT from the Firewall.

Become a Leader in Data Analytics

Gain the power to turn raw data into better business decisions and outcomes in your industry. Transform your career future by earning your MS in Data Analytics. WGU’s MSDA program curriculum features IT certifications from Oracle and SAS.  

M_PereraAuthor Commented:

"you need a access list, in transparent mode it only passes arp without one", even for traffic originated from inside host? Suppose I opened a browser and typed Isn't this inside to outside? default firewall behavior? Or I still do need a access list in transparent mode?

ok, so you just need to run the command

no access-group DHCP in interface INSIDE

and it should work
according to everythin I have read about transparent mode, yes
From Cisco's guide on setting up transparent mode

"Even though the transparent mode acts as a bridge, Layer 3 traffic, such as IP traffic, cannot pass through the security appliance unless you explicitly permit it with an extended access list. The only traffic allowed through the transparent firewall without an access list is ARP traffic. ARP traffic can be controlled by ARP inspection."

M_PereraAuthor Commented:
Thank you very much everyone.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.