Benefits and difference of Routed and Transparent Mode Firewall

Answered Question
Jan 25th, 2010

Hi Guys,

I just want to ask what are the benefits and differences of ASA5505's routed and transparent mode? And also how I can know and configure these two modes in Firewall.

Thanks in advance and more power!

regards,

Gagamboy

I have this problem too.
0 votes
Correct Answer by Ganesh Hariharan about 6 years 10 months ago

Hi Guys,

I just want to ask what are the benefits and differences of ASA5505's routed and transparent mode? And also how I can know and configure these two modes in Firewall.

Thanks in advance and more power!

regards,

Gagamboy

Hi Gagmboy,

There two modes in firewall Transparent and Routed. Transparent mode firewall,       on the other hand, is a Layer 2 firewall that acts like a "bump in the       wire," or a "stealth firewall," and is not seen as a       router hop to connected devices.

and on the other hand for Routed mode security appliance is considered to be a router hop in the network. It can perform NAT between connected networks, and can use OSPF or passive RIP (in single context mode). Routed mode supports many interfaces. Each interface is on a different subnet.

Default mode for firewall is routed mode nature !!

Check out the below links on Transparent and Routed mode of firewall.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008089f467.shtml

http://72.163.4.161/en/US/docs/security/asa/asa70/configuration/guide/fwmode.html

Ganesh.H

Correct Answer by Jon Marshall about 6 years 10 months ago

gagamboy15 wrote:

Hi Guys,

I just want to ask what are the benefits and differences of ASA5505's routed and transparent mode? And also how I can know and configure these two modes in Firewall.

Thanks in advance and more power!

regards,

Gagamboy

Gagamboy

As already said transparent means that it is seen as a L2 device. This means it's major advantage is that you can insert a transparent firewall into a network without making any IP address changes on other devices. An example -

you have a vlan with one IP subnet. This vlan is a server vlan but now there is a requirement to firewall some of the servers from the other servers. You can use an ASA in transparent mode to do this without having to change any of the server IP addresses, so in effect you split the vlan in two and connected it back together again with the ASA. Note you actually use 2 vlans with the same IP subnet because of STP but the principle is the same.

The main disadvantage is your are limited in the number of interfaces you can use. The restriction is 2 interfaces per firewall although you can use bridge groups to extend that number but you are still restricted to 8 interfaces per firewall or per context, as least it was 8 the last time i looked.

In routed mode you do not have this limitation and it easy to setup multiple DMZs on the same firewall. Routed mode is what you generally see and certainly when the firewall connects the company to the internet. Going back to the previous server vlan though, if you wanted to firewall some servers from the other server within the same IP subnet then unfortunately you can't and you would need to readdress some of the servers.

So both have their place. Routed mode is the default mode and is more flexible but there are times when transparent makes more sense.

Jon

Correct Answer by Kureli Sankar about 6 years 10 months ago

Layer two firewall is just a bump in the wire to firewall two vlans.


!--- In order to set the firewall mode to transparent mode

firewall transparent

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/start.html#wp1040279

two modes and configuration example:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_qanda_item09186a00805b87d8.shtml#q8

-KS

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (4 ratings)
Loading.
Correct Answer
Kureli Sankar Mon, 01/25/2010 - 20:03

Layer two firewall is just a bump in the wire to firewall two vlans.


!--- In order to set the firewall mode to transparent mode

firewall transparent

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/start.html#wp1040279

two modes and configuration example:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_qanda_item09186a00805b87d8.shtml#q8

-KS

Rafael Mendes Fri, 09/18/2015 - 11:33

Hello Guys,

 

I was reading the posto to a better understand about Transparent Firewalls.

I have some questioons:

The first one is: When a setup a transparent Firewall, is mandatory that the Firewall need to be installed physically inline(like an ips) in the network to force the traffic pass through the appliance?
 

The second and last one is: If the response for the first question is NO, how will the traffic pass through the appliance if the default gw is not the Firewall?

 

Thank you!

 

Jon Marshall Fri, 09/18/2015 - 11:59

Rafael

As far as I am aware yes it needs to be inline because that is the only way to ensure that traffic goes through the device if that makes sense.

The default gateway is never the firewall when it is in transparent mode, it will always be a L3 interface on some other device.

It's a bit complicated to explain without a diagram but essentially you would use two vlans, one for either side of the firewall, but the same IP subnet across both vlans.

So the clients are all using the same IP subnet but for some of them to get to their default gateway and perhaps other clients using the same IP subnet they have to go through the firewall although they are completely unaware they are doing so.

You need to use two vlans to avoid an STP loop.

Like I say it's a bit complicated to explain without a diagram but I'm happy to explain in more detail if you want.

Jon

Correct Answer
Jon Marshall Tue, 01/26/2010 - 01:13

gagamboy15 wrote:

Hi Guys,

I just want to ask what are the benefits and differences of ASA5505's routed and transparent mode? And also how I can know and configure these two modes in Firewall.

Thanks in advance and more power!

regards,

Gagamboy

Gagamboy

As already said transparent means that it is seen as a L2 device. This means it's major advantage is that you can insert a transparent firewall into a network without making any IP address changes on other devices. An example -

you have a vlan with one IP subnet. This vlan is a server vlan but now there is a requirement to firewall some of the servers from the other servers. You can use an ASA in transparent mode to do this without having to change any of the server IP addresses, so in effect you split the vlan in two and connected it back together again with the ASA. Note you actually use 2 vlans with the same IP subnet because of STP but the principle is the same.

The main disadvantage is your are limited in the number of interfaces you can use. The restriction is 2 interfaces per firewall although you can use bridge groups to extend that number but you are still restricted to 8 interfaces per firewall or per context, as least it was 8 the last time i looked.

In routed mode you do not have this limitation and it easy to setup multiple DMZs on the same firewall. Routed mode is what you generally see and certainly when the firewall connects the company to the internet. Going back to the previous server vlan though, if you wanted to firewall some servers from the other server within the same IP subnet then unfortunately you can't and you would need to readdress some of the servers.

So both have their place. Routed mode is the default mode and is more flexible but there are times when transparent makes more sense.

Jon

Correct Answer
Ganesh Hariharan Tue, 01/26/2010 - 05:54

Hi Guys,

I just want to ask what are the benefits and differences of ASA5505's routed and transparent mode? And also how I can know and configure these two modes in Firewall.

Thanks in advance and more power!

regards,

Gagamboy

Hi Gagmboy,

There two modes in firewall Transparent and Routed. Transparent mode firewall,       on the other hand, is a Layer 2 firewall that acts like a "bump in the       wire," or a "stealth firewall," and is not seen as a       router hop to connected devices.

and on the other hand for Routed mode security appliance is considered to be a router hop in the network. It can perform NAT between connected networks, and can use OSPF or passive RIP (in single context mode). Routed mode supports many interfaces. Each interface is on a different subnet.

Default mode for firewall is routed mode nature !!

Check out the below links on Transparent and Routed mode of firewall.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008089f467.shtml

http://72.163.4.161/en/US/docs/security/asa/asa70/configuration/guide/fwmode.html

Ganesh.H

gagamboy15 Tue, 01/26/2010 - 08:12

Wow! Awesome, from the answers below It helps me a lot to better understand Firewall concepts.

I think I will start moving in to the next step.

Thanks a lot guys and more power to you!

regards,

Gagamboy

Actions

This Discussion