ASA(config)# show firewall
Firewall mode: Router
! Change to Transparent mode (Be careful with this change, Its remove all routing configuraion without confirmation. It´s Like Reset!)
ASA(config)# firewall transparent
ciscoasa(config)# hostname ASA
ASA(config-if)# show firewall
Firewall mode: Transparent
! Create Bridge-Group Virtual Interface
ASA(config)# interface bvi 1
ASA(config-if)# ip address 10.0.0.254 255.255.255.0
ASA(config-if)# in Gi1
ASA(config-if)# bridge-group 1
ASA(config-if)# in Gi2
ASA(config-if)# bridge-group 1
ASA(config)# show interface bvI 1
Interface BVI1 is up, line protocol is up
MAC address N/A, MTU not set
IP address 10.0.0.254, subnet mask 255.255.255.0
ASA(config)# show ip
Group : 1
Management System IP Address:
ip address 10.0.0.254 255.255.255.0
Management Current IP Address:
ip address 10.0.0.254 255.255.255.0
! After change Firewall mode we have to set up Security level again
ASA(config)# show run int g 1
interface GigabitEthernet1
shutdown
no nameif
bridge-group 1
no security-level
ASA(config)# in gi 1
ASA(config-if)# nameif inside
ASA(config-if)# in gi 2
ASA(config-if)# nameif outside
ASA(config)# show nameif
Interface Name Security
GigabitEthernet1 inside 100
GigabitEthernet2 outside 0
ASA(config-if)# ping 10.0.0.1 (R1)
!!!!!
ASA(config-if)# ping 10.0.0.2 (R2)
!!!!!
! Telnet From R2 to R1 (Outside To Inside) Droped
R2#tel 10.0.0.1
Trying 10.0.0.1 ...
% Connection timed out; remote host not responding
! Telnet From R1 to R2 (Inside To Outside) Permitted
R1#tel 10.0.0.2
Trying 10.0.0.2 ... Open
R2>
ASA(config)# show arp
inside 10.0.0.1 0000.0000.0001 36 (R1)
outside 10.0.0.2 0000.0000.0002 36 (R2)
! Show Active Connection (In use)
ASA(config)# show conn
1 in use, 2 most used
TCP outside 10.0.0.2:23 inside 10.0.0.1:37028, idle 0:01:48, bytes 53, flags UIO
ASA(config)# show conn detail
1 in use, 2 most used
Flags: A - awaiting inside ACK to SYN, a - awaiting outside ACK to SYN,
B - initial SYN from outside, b - TCP state-bypass or nailed, C - CTIQBE media,
D - DNS, d - dump, E - outside back connection, F - outside FIN, f - inside FIN,
G - group, g - MGCP, H - H.323, h - H.225.0, I - inbound data,
i - incomplete, J - GTP, j - GTP data, K - GTP t3-response
k - Skinny media, M - SMTP data, m - SIP media, n - GUP
O - outbound data, P - inside back connection, p - Phone-proxy TFTP connection,
q - SQL*Net data, R - outside acknowledged FIN,
R - UDP SUNRPC, r - inside acknowledged FIN, S - awaiting inside SYN,
s - awaiting outside SYN, T - SIP, t - SIP transient, U - up,
V - VPN orphan, W - WAAS,
X - inspected by service module
TCP outside:10.0.0.2/23 inside:10.0.0.1/37028,
flags UIO, idle 4m14s, uptime 4m14s, timeout 1h0m, bytes 53
Or use | to small output!
ASA(config)# show conn detail | include /23|uptime
TCP outside:10.0.0.2/23 inside:10.0.0.1/37028,
flags UIO, idle 4m7s, uptime 4m7s, timeout 1h0m, bytes 53
ASA(config)# show local-host
Interface outside: 1 active, 1 maximum active, 0 denied
local host: <10.0.0.2>,
TCP flow count/limit = 1/unlimited
TCP embryonic count to host = 0
TCP intercept watermark = unlimited
UDP flow count/limit = 0/unlimited
Conn:
TCP outside 10.0.0.2:23 inside 10.0.0.1:37028, idle 0:06:56, bytes 53, flags UIO
Interface inside: 1 active, 1 maximum active, 0 denied
local host: <10.0.0.1>,
TCP flow count/limit = 1/unlimited
TCP embryonic count to host = 0
TCP intercept watermark = unlimited
UDP flow count/limit = 0/unlimited
Conn:
TCP outside 10.0.0.2:23 inside 10.0.0.1:37028, idle 0:06:56, bytes 53, flags UIO
! Configure OSPF on R1 and R2
R1(config)#in fas 0/0
R1(config-if)#ip ospf 1 area 0
R1(config-if)#ip ospf hello-interval 3
R1(config)#in fas 0/0
R1(config-if)#ip ospf 1 area 0
R1(config-if)#ip ospf hello-interval 3
ASA(config)# logging console 7
ASA(config)# logging on
%ASA-3-106010: Deny inbound protocol 89 src inside:10.0.0.1 dst outside:224.0.0.5
%ASA-3-106010: Deny inbound protocol 89 src outside:10.0.0.2 dst inside:224.0.0.5
ASA(config)# no logging on
! Configure MPLS IP
R1(config)#in fas 0/0
R1(config-if)#mpls ip
R2(config)#in fas 0/0
R2(config-if)#mpls ip
ASA(config)# logging on
%ASA-2-106006: Deny inbound UDP from 10.0.0.2/646 to 224.0.0.2/646 on interface outside
%ASA-2-106006: Deny inbound UDP from 10.0.0.1/646 to 224.0.0.2/646 on interface inside
ASA(config)# no logging on
! Allow OSPF and MPLS Trafic Through Transparent ASA
ASA(config)# access-list INSIDE-IN permit ip any any ! (Permit All IP Connection from IN To OUT)
ASA(config)# access-list OUTSIDE-IN permit ospf any any ! (Permit OSPF Connection from OUT To IN)
ASA(config)# access-list OUTSIDE-IN permit udp any any eq 646 ! (Permit MPLS UDP Connection from OUT To IN)
ASA(config)# access-list OUTSIDE-IN permit tcp any any eq 646 ! (Permit MPLS TCP Connection from OUT To IN)
! Applly access lists to interfaces
ASA(config)# access-group INSIDE-IN in interface inside
ASA(config)# access-group OUTSIDE-IN in interface outside
! Show Active Connections
ASA(config)# show conn
5 in use, 6 most used ! (Permitted Connections)
UDP outside 224.0.0.2:646 inside 10.0.0.1:646, idle 0:00:01, bytes 2890, flags -
OSPF outside 224.0.0.5 inside10.0.0.1, idle 0:00:02, bytes 7984
UDP outside 10.0.0.2:646 inside 224.0.0.2:646, idle 0:00:01, bytes 3026, flags -
TCP outside 10.0.0.2:20843 inside 10.0.0.1:646, idle 0:00:33, bytes 288, flags UIOB
OSPF outside 10.0.0.2 inside224.0.0.5, idle 0:00:01, bytes 7448
ASA(config)# show conn detail
5 in use, 6 most used
UDP outside:224.0.0.2/646 inside:10.0.0.1/646,
flags -, idle 4s, uptime 5m2s, timeout 2m0s, bytes 2346
OSPF outside:224.0.0.5/0 inside:10.0.0.1/0,
idle 2s, uptime 5m4s, timeout 2m0s, bytes 6544
UDP outside:10.0.0.2/646 inside:224.0.0.2/646,
flags -, idle 1s, uptime 4m48s, timeout 2m0s, bytes 2482
TCP outside:10.0.0.2/20843 inside:10.0.0.1/646,
flags UIOB, idle 16s, uptime 16s, timeout 1h0m, bytes 252
OSPF outside:10.0.0.2/0 inside:224.0.0.5/0,
idle 1s, uptime 4m49s, timeout 2m0s, bytes 6008
! When all necessary traffic is permitted we can check R1 and R2
*May 1 21:31:27.446: %OSPF-5-ADJCHG: Process 1, Nbr 10.0.0.1 on FastEthernet0/0 from LOADING to FULL, Loading Done
*May 1 21:36:00.374: %LDP-5-NBRCHG: LDP Neighbor 10.0.0.1:0 (1) is UP
Note: LDP = MPLS Label Distribution Protocol (LDP)
! Check OSPF
R2#show ip ospf neighbor
Neighbor ID Pri State Dead Time Address Interface
10.0.0.1 1 FULL/BDR 00:00:10 10.0.0.1 FastEthernet0/0
! Check MPLS
R2#show mpls ldp neighbor
Peer LDP Ident: 10.0.0.1:0; Local LDP Ident 10.0.0.2:0
TCP connection: 10.0.0.1.646 - 10.0.0.2.20843
State: Oper; Msgs sent/rcvd: 13/14; Downstream
Up time: 00:08:48
LDP discovery sources:
FastEthernet0/0, Src IP addr: 10.0.0.1
Addresses bound to peer LDP Ident:
10.0.0.1
Note:
The transparent mode FWSM does not pass CDP packets, or any packets that do not have a valid EtherType greater than or equal to 0x600. For example, you cannot pass IS-IS packets. An exception is made for BPDUs, which are supported.
For example, you can establish routing protocol adjacencies through a transparent firewall; you can allow OSPF, RIP, EIGRP, or BGP traffic through based on an extended access list. Likewise, protocols like HSRP or VRRP can pass through the FWSM.
Non-IP traffic (for example AppleTalk, IPX, BPDUs, and MPLS) can be configured to go through using an EtherType access list.
For features that are not directly supported on the transparent firewall, you can allow traffic to pass through so that upstream and downstream routers can support the functionality. For example, by using an extended access list, you can allow DHCP traffic (instead of the unsupported DHCP relay feature) or multicast traffic such as that created by IP/TV.
