Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

Transparent Firewall

Hi

can anyone easily describe how cisco pix work as a transparent firewall and what it is ?.

Thanks

biplob

3 REPLIES
Hall of Fame Super Blue

Re: Transparent Firewall

Hi

When a pix firewall is in transparent mode it is basically "seen" as a layer 2 device rather than a layer 3 device. An explanation should help.

routerA -> Pix -> routerB

If the pix is in "normal" routed mode then the the 2 routers do not see each other as neighbours. The IP addressing for the above would look something like

routerA (192.168.1.1) -> (192.168.1.2) Pix (172.16.5.2) -> (172.16.5.1) routerB

So packets being sent from routerA to routerB would be forwarded to the pix inside interface ie 192.168.1.2. The pix would then do a route lookup for the destination IP address and then forward the packet out of it's outside interface ie 172.16.5.2 to routerB.

That's routed mode. Now when the pix is in transparent mode you still get the same layout

routerA -> Pix -> routerB

but the addressing has changed

routerA (192.168.1.1) -> Pix -> (192.168.1.2)routerB.

Note that the 2 routers are on the same subnet. If the routers were running EIGRP or OSPF they would form a neighbourship with each other, providng you allow that traffic through with an access-list. And this is an important point, even though the firewall is in tranpsarent mode you can still allow access based on the source and destination IP addresses. The only traffic allowed through the firewall in transparent mode without an access-list is arp traffic.

Hope this has answered your question

Jon

New Member

Re: Transparent Firewall

Hi

Great !. Now it is clear to me as water. It is clear how transparent picx work.

But my question is if in transparent mode pix only work layer 2 device and work only ACL.

so only this i can use pix ?. without Pix I can surf purpose to apply acl in router.

so transport mode pix useful in practical enviorement.

Thanks

Biplob

Hall of Fame Super Blue

Re: Transparent Firewall

Hi Biplob

It's a little unclear what you mean but i'll try and answer your question. Please let me know if i have misunderstood.

Even though the pix in transparent mode is seen as a layer 2 device it can still block traffic based on layer 3/4 information ie. IP addresses and port numbers. In a practical environment there are a number of uses

1) If you needed 2 routers to be able to establish a neigbourship with each other ( see previous post)

2) A transparent firewall can be harder to detect for a hacker than a routed firewall as it is just a "bump in the wire" rather than an IP andpoint. Again see previous post for IP addressing to understand this more.

3) It is easier to insert a transparent firewall into an existing production environment as it needs to readdressing on the clients or servers as it is working at layer 2.

4) It can also be used when you need to pass non-IP protocols.

HTH

Jon

665
Views
0
Helpful
3
Replies
CreatePlease to create content