cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
49215
Views
15
Helpful
7
Replies

Benefits and difference of Routed and Transparent Mode Firewall

gagamboy15
Level 1
Level 1

Hi Guys,

I just want to ask what are the benefits and differences of ASA5505's routed and transparent mode? And also how I can know and configure these two modes in Firewall.

Thanks in advance and more power!

regards,

Gagamboy

3 Accepted Solutions

Accepted Solutions

Kureli Sankar
Cisco Employee
Cisco Employee

Layer two firewall is just a bump in the wire to firewall two vlans.


!--- In order to set the firewall mode to transparent mode

firewall transparent

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/start.html#wp1040279

two modes and configuration example:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_qanda_item09186a00805b87d8.shtml#q8

-KS

View solution in original post

Jon Marshall
Hall of Fame
Hall of Fame

gagamboy15 wrote:

Hi Guys,

I just want to ask what are the benefits and differences of ASA5505's routed and transparent mode? And also how I can know and configure these two modes in Firewall.

Thanks in advance and more power!

regards,

Gagamboy

Gagamboy

As already said transparent means that it is seen as a L2 device. This means it's major advantage is that you can insert a transparent firewall into a network without making any IP address changes on other devices. An example -

you have a vlan with one IP subnet. This vlan is a server vlan but now there is a requirement to firewall some of the servers from the other servers. You can use an ASA in transparent mode to do this without having to change any of the server IP addresses, so in effect you split the vlan in two and connected it back together again with the ASA. Note you actually use 2 vlans with the same IP subnet because of STP but the principle is the same.

The main disadvantage is your are limited in the number of interfaces you can use. The restriction is 2 interfaces per firewall although you can use bridge groups to extend that number but you are still restricted to 8 interfaces per firewall or per context, as least it was 8 the last time i looked.

In routed mode you do not have this limitation and it easy to setup multiple DMZs on the same firewall. Routed mode is what you generally see and certainly when the firewall connects the company to the internet. Going back to the previous server vlan though, if you wanted to firewall some servers from the other server within the same IP subnet then unfortunately you can't and you would need to readdress some of the servers.

So both have their place. Routed mode is the default mode and is more flexible but there are times when transparent makes more sense.

Jon

View solution in original post

Ganesh Hariharan
VIP Alumni
VIP Alumni

Hi Guys,

I just want to ask what are the benefits and differences of ASA5505's routed and transparent mode? And also how I can know and configure these two modes in Firewall.

Thanks in advance and more power!

regards,

Gagamboy

Hi Gagmboy,

There two modes in firewall Transparent and Routed. Transparent mode firewall,       on the other hand, is a Layer 2 firewall that acts like a "bump in the       wire," or a "stealth firewall," and is not seen as a       router hop to connected devices.

and on the other hand for Routed mode security appliance is considered to be a router hop in the network. It can perform NAT between connected networks, and can use OSPF or passive RIP (in single context mode). Routed mode supports many interfaces. Each interface is on a different subnet.

Default mode for firewall is routed mode nature !!

Check out the below links on Transparent and Routed mode of firewall.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008089f467.shtml

http://72.163.4.161/en/US/docs/security/asa/asa70/configuration/guide/fwmode.html

Ganesh.H

View solution in original post

7 Replies 7

Kureli Sankar
Cisco Employee
Cisco Employee

Layer two firewall is just a bump in the wire to firewall two vlans.


!--- In order to set the firewall mode to transparent mode

firewall transparent

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/start.html#wp1040279

two modes and configuration example:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_qanda_item09186a00805b87d8.shtml#q8

-KS

Hello Guys,

 

I was reading the posto to a better understand about Transparent Firewalls.

I have some questioons:

The first one is: When a setup a transparent Firewall, is mandatory that the Firewall need to be installed physically inline(like an ips) in the network to force the traffic pass through the appliance?
 

The second and last one is: If the response for the first question is NO, how will the traffic pass through the appliance if the default gw is not the Firewall?

 

Thank you!

 

Rafael

As far as I am aware yes it needs to be inline because that is the only way to ensure that traffic goes through the device if that makes sense.

The default gateway is never the firewall when it is in transparent mode, it will always be a L3 interface on some other device.

It's a bit complicated to explain without a diagram but essentially you would use two vlans, one for either side of the firewall, but the same IP subnet across both vlans.

So the clients are all using the same IP subnet but for some of them to get to their default gateway and perhaps other clients using the same IP subnet they have to go through the firewall although they are completely unaware they are doing so.

You need to use two vlans to avoid an STP loop.

Like I say it's a bit complicated to explain without a diagram but I'm happy to explain in more detail if you want.

Jon

Jon Marshall
Hall of Fame
Hall of Fame

gagamboy15 wrote:

Hi Guys,

I just want to ask what are the benefits and differences of ASA5505's routed and transparent mode? And also how I can know and configure these two modes in Firewall.

Thanks in advance and more power!

regards,

Gagamboy

Gagamboy

As already said transparent means that it is seen as a L2 device. This means it's major advantage is that you can insert a transparent firewall into a network without making any IP address changes on other devices. An example -

you have a vlan with one IP subnet. This vlan is a server vlan but now there is a requirement to firewall some of the servers from the other servers. You can use an ASA in transparent mode to do this without having to change any of the server IP addresses, so in effect you split the vlan in two and connected it back together again with the ASA. Note you actually use 2 vlans with the same IP subnet because of STP but the principle is the same.

The main disadvantage is your are limited in the number of interfaces you can use. The restriction is 2 interfaces per firewall although you can use bridge groups to extend that number but you are still restricted to 8 interfaces per firewall or per context, as least it was 8 the last time i looked.

In routed mode you do not have this limitation and it easy to setup multiple DMZs on the same firewall. Routed mode is what you generally see and certainly when the firewall connects the company to the internet. Going back to the previous server vlan though, if you wanted to firewall some servers from the other server within the same IP subnet then unfortunately you can't and you would need to readdress some of the servers.

So both have their place. Routed mode is the default mode and is more flexible but there are times when transparent makes more sense.

Jon

Ganesh Hariharan
VIP Alumni
VIP Alumni

Hi Guys,

I just want to ask what are the benefits and differences of ASA5505's routed and transparent mode? And also how I can know and configure these two modes in Firewall.

Thanks in advance and more power!

regards,

Gagamboy

Hi Gagmboy,

There two modes in firewall Transparent and Routed. Transparent mode firewall,       on the other hand, is a Layer 2 firewall that acts like a "bump in the       wire," or a "stealth firewall," and is not seen as a       router hop to connected devices.

and on the other hand for Routed mode security appliance is considered to be a router hop in the network. It can perform NAT between connected networks, and can use OSPF or passive RIP (in single context mode). Routed mode supports many interfaces. Each interface is on a different subnet.

Default mode for firewall is routed mode nature !!

Check out the below links on Transparent and Routed mode of firewall.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008089f467.shtml

http://72.163.4.161/en/US/docs/security/asa/asa70/configuration/guide/fwmode.html

Ganesh.H

Wow! Awesome, from the answers below It helps me a lot to better understand Firewall concepts.

I think I will start moving in to the next step.

Thanks a lot guys and more power to you!

regards,

Gagamboy

swim_or_die
Level 1
Level 1

Transparent mode:

inspects L2 and higher headers; routed inspects L3 and higher

supports only two interfaces

Supports VPN only for device managment; does not support remote access or site-to-site VPN

does not support QoS

Does not support IPv6

does not support address translation (NAT/PAT, etc)

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: