Cisco ASA - “no management-only” in “Transparent” mode.

Today I had to setup a pair of old ASA 5500 firewalls in Transparent mode and unfortunately hit another limitation that I haven’t noticed before - you can’t use Management interface for any other purposes. My idea was to use Management 0/0 as a Failover interface, but when I tried to do so I got an error:

ciscoasa# conf t
ciscoasa(config)# firewall transparent
ciscoasa(config)#
ciscoasa(config)# interface Management 0/0
ciscoasa(config-if)# no management-only 
ERROR: It is not allowed to make changes to this option in transparent mode.
ciscoasa(config-if)#

Another thing that you might want to know is that U-turn traffic can NOT be configured in Transparent mode. It actually does make sense.

ERROR: same-security-level intra-interface CLI is not allowed in Transparent mode

I haven’t see any document mentioning these limitations related to just Transparent mode. Now I know!

How to capture traffic on Cisco IOS.

Here is the real example how to capture traffic in both directions on the interface of Cisco ISR G1.

! Configure buffer size and max size of captured packets.
! By default all captured packets will be truncated (68 bytes).
monitor capture buffer CAPTURE1 size 1024 max-size 9500 linear

! Configure packet filter to capture specific traffic.
! You can use standard or extended ACL for that.
ip access-list standard ACL_CAPTURE1
 permit 188.234.136.49

! Apply ACL for capture buffer.
monitor capture buffer CAPTURE1 filter access-list ACL_CAPTURE1

! Create capture point.
monitor capture point ip cef CP-F00 FastEthernet 0/0 both

! Associate capture point with capture buffer.
monitor capture point associate CP-F00 CAPTURE1

! Start capture.
monitor capture point start CP-F00

! Stop capture.
monitor capture point stop CP-F00

! Export buffer to FTP or TFTP or local flash.
monitor capture buffer CAPTURE1 export flash:capture1.cap

I was doing that to capture the traffic to/from Cisco ISR and SIP provider and I discovered that I was able to capture the traffic only in one direction. It looks like you can’t capture the traffic originated by the router itself.

Admin area