+ Reply to Thread
Results 1 to 11 of 11
  1. Senior Member websponge's Avatar
    Join Date
    Aug 2008
    Posts
    119

    Certifications
    A+, Network +, MCP, CCENT, CCNA, CCNA Security, CCNP
    #1

    Default ASA 5505 transparent

    Hi all,
    Hope you can help with a simple query.
    Just wiped an ASA for a client and set it too factory default, upgraded the image and ASDM. Now the client wants this ASA purely to see traffic coming in and out and at a later time start looking at access rules etc.

    So, I want this ASA purely as a bump in the wire between the existing router and their corporate WAN. I can't see any documentation that makes sense to me. I just want to plug in their wan on the outside and lan on the inside. No dhcp , and one port for access to ASDM. I can't figure out the best way to do it.

    Is this easy enough?

    Thanks.
    Reply With Quote Quote  

  2. SS -->
  3. Mow
    Mow is offline
    Membrane Mow's Avatar
    Join Date
    Apr 2015
    Posts
    431

    Certifications
    CCNP Collaboration, CCNA, CCDA, CCNA Sec
    #2
    You need:
    configure vlan 2 ip address and subnet mask as the public IP
    configure vlan 1 ip address and subnet mask as the inside IP of the ASA
    route outside 0.0.0.0 0.0.0.0 X.X.X.X where Xs are the default gateway provided by the ISP
    enable password
    http enable
    http X.X.X.X X.X.X.X outside/inside where the Xs are an IP and subnet mask, as well as which interface you want to access it on.
    aaa authentication http console LOCAL if you want to use the local user database to get into asdm

    I think this is bare minimum for your scenario.
    Reply With Quote Quote  

  4. Senior Member websponge's Avatar
    Join Date
    Aug 2008
    Posts
    119

    Certifications
    A+, Network +, MCP, CCENT, CCNA, CCNA Security, CCNP
    #3
    Thanks for the reply. Was thinking along those lines. It's the inside I am more concerned about, as the existing router has an IP configured on its outside (now it will be facing the ASA) so I'm going to have to change the router config as well aren't I? Was hoping I could somehow make the ASA transparent and just let traffic pass through..

    Outside ASA interface I can mimic what's on the routers external interface not a problem, but the inside will be facing the router..
    Reply With Quote Quote  

  5. Mow
    Mow is offline
    Membrane Mow's Avatar
    Join Date
    Apr 2015
    Posts
    431

    Certifications
    CCNP Collaboration, CCNA, CCDA, CCNA Sec
    #4
    ASA will not restrict anything outbound unless you configure an inbound access list on the inside interface. The router should just need an IP address change, as well as a ip route 0.0.0.0 0.0.0.0 X.X.X.X where Xs are inside IP of ASA
    Reply With Quote Quote  

  6. Senior Member websponge's Avatar
    Join Date
    Aug 2008
    Posts
    119

    Certifications
    A+, Network +, MCP, CCENT, CCNA, CCNA Security, CCNP
    #5
    Quote Originally Posted by Mow View Post
    ASA will not restrict anything outbound unless you configure an inbound access list on the inside interface. The router should just need an IP address change, as well as a ip route 0.0.0.0 0.0.0.0 X.X.X.X where Xs are inside IP of ASA
    Perfect, that's what I had planned! Only 1 thing... Can I use a spare inside port just for management? With a specific IP for me to access the gui? Once I configured this in the lab environment, I won't be in the inside range that I'm allowing http access too.
    Reply With Quote Quote  

  7. Mow
    Mow is offline
    Membrane Mow's Avatar
    Join Date
    Apr 2015
    Posts
    431

    Certifications
    CCNP Collaboration, CCNA, CCDA, CCNA Sec
    #6
    I don't think 5505 allows for a separate management interface. I can't really remember. Are you on the same network, different subnet? As long as the ASA has a route to your other subnets through your L3 device, you can allow whatever subnet you need. If you're in a different network, use the outside address for your management and hit it through the web.
    Reply With Quote Quote  

  8. Senior Member joelsfood's Avatar
    Join Date
    Sep 2014
    Location
    Chicago, IL
    Posts
    969

    Certifications
    CCIE:DC, CCNP:DC, CCNA:DC, CCDA, VCP:DCV, VCP:NV, JNCIA-JUNOS
    #7
    Take a look at this link and see if it does what you want

    PIX/ASA: Transparent Firewall Configuration Example - Cisco
    Reply With Quote Quote  

  9. Senior Member websponge's Avatar
    Join Date
    Aug 2008
    Posts
    119

    Certifications
    A+, Network +, MCP, CCENT, CCNA, CCNA Security, CCNP
    #8
    Thanks Both, I'll try both solutions. 2nd one is more what I need, but the ASA will be in front of everything. I need a port on a private range for management so I'll cross that bridge when I come to it..
    Reply With Quote Quote  

  10. Senior Member websponge's Avatar
    Join Date
    Aug 2008
    Posts
    119

    Certifications
    A+, Network +, MCP, CCENT, CCNA, CCNA Security, CCNP
    #9
    joelsfood, I went for your link, done! boom! thank you
    Reply With Quote Quote  

  11. Senior Member joelsfood's Avatar
    Join Date
    Sep 2014
    Location
    Chicago, IL
    Posts
    969

    Certifications
    CCIE:DC, CCNP:DC, CCNA:DC, CCDA, VCP:DCV, VCP:NV, JNCIA-JUNOS
    #10
    Happy to help!
    Reply With Quote Quote  

  12. Senior Member websponge's Avatar
    Join Date
    Aug 2008
    Posts
    119

    Certifications
    A+, Network +, MCP, CCENT, CCNA, CCNA Security, CCNP
    #11
    Ok so, the ASA is in, traffic seems to be passing through. But the manager had to remove it this morning as he says its dropping traffic from one of their applications. It shouldn't do this at all should it?

    I have an allow any any inside and outside.. Anyone come across this?
    Reply With Quote Quote  

+ Reply to Thread

Social Networking & Bookmarks