ASA 5505 transparent

websponge

Hi all,
Hope you can help with a simple query.
Just wiped an ASA for a client and set it too factory default, upgraded the image and ASDM. Now the client wants this ASA purely to see traffic coming in and out and at a later time start looking at access rules etc.

So, I want this ASA purely as a bump in the wire between the existing router and their corporate WAN. I can't see any documentation that makes sense to me. I just want to plug in their wan on the outside and lan on the inside. No dhcp , and one port for access to ASDM. I can't figure out the best way to do it.

Is this easy enough?

Thanks.

Mow

You need:
configure vlan 2 ip address and subnet mask as the public IP
configure vlan 1 ip address and subnet mask as the inside IP of the ASA
route outside 0.0.0.0 0.0.0.0 X.X.X.X where Xs are the default gateway provided by the ISP
enable password
http enable
http X.X.X.X X.X.X.X outside/inside where the Xs are an IP and subnet mask, as well as which interface you want to access it on.
aaa authentication http console LOCAL if you want to use the local user database to get into asdm

I think this is bare minimum for your scenario.

websponge

Thanks for the reply. Was thinking along those lines. It's the inside I am more concerned about, as the existing router has an IP configured on its outside (now it will be facing the ASA) so I'm going to have to change the router config as well aren't I? Was hoping I could somehow make the ASA transparent and just let traffic pass through..

Outside ASA interface I can mimic what's on the routers external interface not a problem, but the inside will be facing the router..

Mow

ASA will not restrict anything outbound unless you configure an inbound access list on the inside interface. The router should just need an IP address change, as well as a ip route 0.0.0.0 0.0.0.0 X.X.X.X where Xs are inside IP of ASA

websponge

Mow wrote: »

ASA will not restrict anything outbound unless you configure an inbound access list on the inside interface. The router should just need an IP address change, as well as a ip route 0.0.0.0 0.0.0.0 X.X.X.X where Xs are inside IP of ASA

Perfect, that's what I had planned! Only 1 thing... Can I use a spare inside port just for management? With a specific IP for me to access the gui? Once I configured this in the lab environment, I won't be in the inside range that I'm allowing http access too.

Mow

I don't think 5505 allows for a separate management interface. I can't really remember. Are you on the same network, different subnet? As long as the ASA has a route to your other subnets through your L3 device, you can allow whatever subnet you need. If you're in a different network, use the outside address for your management and hit it through the web.

joelsfood

Take a look at this link and see if it does what you want

PIX/ASA: Transparent Firewall Configuration Example - Cisco

websponge

Thanks Both, I'll try both solutions. 2nd one is more what I need, but the ASA will be in front of everything. I need a port on a private range for management so I'll cross that bridge when I come to it..

websponge

joelsfood, I went for your link, done! boom! thank you

joelsfood

Happy to help!

websponge

Ok so, the ASA is in, traffic seems to be passing through. But the manager had to remove it this morning as he says its dropping traffic from one of their applications. It shouldn't do this at all should it?

I have an allow any any inside and outside.. Anyone come across this?