1. check firewall mode: show firewall
2. change router mode to transparent mode: firewall transparent
3. create BVI(bridge virtual interface) for management interface just like a VSI(Virtual Switch Interface)
: interface BVI [number of BVI]
give ip address
4. turn on physical interface, and configure Bridge group 1 in physical interfaces
- int g0
security-level 100
nameif inside
bridge-broup 1
no sh
- int g4
same
5. configure bpdu to communicate with other switches for STP.(ASDM ehtertype rule)
6. configure ACLs that permit dhcp packets to be transfered between inside and outside interfaces.
- because dhcp uses broadcast packets, hosts in inside_1 and inside_2 networks are unable to get ip address from dhcp server.
(ASA, by default, drops all broadcast and multicast traffic)
- Therefore, you have to add access-lists that permit
dhcp broadcast packets(ip 255.255.255.255, port UDP 68) between inside and outside ports
Result
7.configure ARP inspection
- mapping a host's ip address and mac-address
- If packets violates the ARP inspection rule, drop that packets.
ex)ip address 192.168.10.4 = mac address aaaa.bbbb.cccc)
first: map ip address and mac address
Second: enable ARP inspection
Ex) Inside_R router ip address 192.168.10.2 | mac-address c200.04fc.0000
change the mac-address of 192.168.10.2
c200.04fc.0000 -> 1111.0022.0200
change the mac-address of 192.168.10.2
c200.04fc.0000 <- 1111.0022.0200
Now, I can connect and ping to ASA.
No comments:
Post a Comment