ASA 5505 transparent

webspongewebsponge Posts: 119Member
Hi all,
Hope you can help with a simple query.
Just wiped an ASA for a client and set it too factory default, upgraded the image and ASDM. Now the client wants this ASA purely to see traffic coming in and out and at a later time start looking at access rules etc.

So, I want this ASA purely as a bump in the wire between the existing router and their corporate WAN. I can't see any documentation that makes sense to me. I just want to plug in their wan on the outside and lan on the inside. No dhcp , and one port for access to ASDM. I can't figure out the best way to do it.

Is this easy enough?

Thanks.
CCDP Next

Comments

  • MowMow Posts: 445Member ■■■□□□□□□□
    You need:
    configure vlan 2 ip address and subnet mask as the public IP
    configure vlan 1 ip address and subnet mask as the inside IP of the ASA
    route outside 0.0.0.0 0.0.0.0 X.X.X.X where Xs are the default gateway provided by the ISP
    enable password
    http enable
    http X.X.X.X X.X.X.X outside/inside where the Xs are an IP and subnet mask, as well as which interface you want to access it on.
    aaa authentication http console LOCAL if you want to use the local user database to get into asdm

    I think this is bare minimum for your scenario.
  • webspongewebsponge Posts: 119Member
    Thanks for the reply. Was thinking along those lines. It's the inside I am more concerned about, as the existing router has an IP configured on its outside (now it will be facing the ASA) so I'm going to have to change the router config as well aren't I? Was hoping I could somehow make the ASA transparent and just let traffic pass through..

    Outside ASA interface I can mimic what's on the routers external interface not a problem, but the inside will be facing the router..
    CCDP Next
  • MowMow Posts: 445Member ■■■□□□□□□□
    ASA will not restrict anything outbound unless you configure an inbound access list on the inside interface. The router should just need an IP address change, as well as a ip route 0.0.0.0 0.0.0.0 X.X.X.X where Xs are inside IP of ASA
  • webspongewebsponge Posts: 119Member
    Mow wrote: »
    ASA will not restrict anything outbound unless you configure an inbound access list on the inside interface. The router should just need an IP address change, as well as a ip route 0.0.0.0 0.0.0.0 X.X.X.X where Xs are inside IP of ASA
    Perfect, that's what I had planned! Only 1 thing... Can I use a spare inside port just for management? With a specific IP for me to access the gui? Once I configured this in the lab environment, I won't be in the inside range that I'm allowing http access too.
    CCDP Next
  • MowMow Posts: 445Member ■■■□□□□□□□
    I don't think 5505 allows for a separate management interface. I can't really remember. Are you on the same network, different subnet? As long as the ASA has a route to your other subnets through your L3 device, you can allow whatever subnet you need. If you're in a different network, use the outside address for your management and hit it through the web.
  • joelsfoodjoelsfood Posts: 1,025Member ■■■■■□□□□□
    Take a look at this link and see if it does what you want

    PIX/ASA: Transparent Firewall Configuration Example - Cisco
  • webspongewebsponge Posts: 119Member
    Thanks Both, I'll try both solutions. 2nd one is more what I need, but the ASA will be in front of everything. I need a port on a private range for management so I'll cross that bridge when I come to it..
    CCDP Next
  • webspongewebsponge Posts: 119Member
    joelsfood, I went for your link, done! boom! thank you
    CCDP Next
  • joelsfoodjoelsfood Posts: 1,025Member ■■■■■□□□□□
    Happy to help!
  • webspongewebsponge Posts: 119Member
    Ok so, the ASA is in, traffic seems to be passing through. But the manager had to remove it this morning as he says its dropping traffic from one of their applications. It shouldn't do this at all should it?

    I have an allow any any inside and outside.. Anyone come across this?
    CCDP Next
Sign In or Register to comment.