Transparent Mode vs. Routed Mode on ASA boxes

Unanswered Question
Sep 15th, 2007
User Badges:

A collegue earlier presented me with a question which I could not answer.

What is the default mode of operaton on the new ASA's; we both guessed transparent; although I see nothing in our config to validate this.


Thanks


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.9 (6 ratings)
Loading.
JORGE RODRIGUEZ Sat, 09/15/2007 - 17:21
User Badges:
  • Green, 3000 points or more

Hi Kevin,


The most logical answer is single mode as the default config cisco ships its ASA, it is up to he end user to change that to transparent or context mode.


Transparent Mode: In this mode, the ASA will filter traffic without requiring L3 on the ASA. This means that in your config you will not put IPs on the interfaces to be used for traffic filtering. Thus, filtering is transparent to the traffic as the traffic isn't directly routed to the firewall. Think of it like you have a server plugged into a switch. In transparent mode, you place the ASA between the server and the switch and no configuration change is required to the server. In routed mode, you place the ASA in the same physical location between the server and switch, but have to change the server to use the ASA as a default gateway.


Single Mode: Default mode of an ASA. The ASA acts as a single firewall and all interfaces are provisioned to be managed through a single firewall configuration.


Multiple Context Mode: The ASA is split into multiple virtual configurations. With the ASA now virtualized, you provision the physical interfaces on the ASA to the virtual firewall configured. Each context has it's own configuration seperate from the rest of the firewall. Multi-context is meant for enterprises to invest in a single piece of hardware and scale it for use as multiple security devices.




HTH

Jorge

Kevin Melton Sun, 09/16/2007 - 18:13
User Badges:

Jorge

Your answer helped alot. Our Firewalls (ASA's rather) do have IP addresses on their respective interfaces, and some boxes do use it as their gateway. My assumption at this point and based on your thorough explanation is that we are in routed mode. I wish their was some sho or debug to validate it though..

thx

JORGE RODRIGUEZ Sun, 09/16/2007 - 20:48
User Badges:
  • Green, 3000 points or more

In enable mode try " show firewall " it should indicate whether it is in transparent, context or single firewall mode.


Rgds

Jorge

mishaaltk Wed, 01/04/2017 - 18:02
User Badges:

9 year old thread, but I just found it googling for the same answer.

I just got a brand new ISA3000 (essential the same as an ASA, it runs the same code v9.x with FirePOWER). The default mode on it was "Transparent" and had a Bridged Virtual Interface.


I had to issue "no firewall mode transparent" to get it to Routed Mode.

That command above itself shows that the default is transparent and a "no" is required to get it out of it!

As mentioned below, a show firewall show what mode it's in currently.



Actions

This Discussion