Transparent mode Management IP limits functionality?
I wanted to put a PIX515 with 7.21 code in transparent mode outside my home office router to supply my MARS box with some traffic to monitor.
My home office router, a linksys/vonage rt31p2 gets a single DHCP address from my broadband provider. I do not have an extra, legitimate IP address to use for management, and reading the published documentation, I thought I could get away with using a random IP address in the subnet, since it was just a management IP address, and a management IP address would only be accessed from the inside. While not good practice in any way, the chances of me actually needing to have an IP conversation with a random person in my /21 subnet is very slim.
Obviously, it did not work right, or I would not be posting... after reading some of the other posts here, I determined that the transparent firewall uses the Management IP address on both the inside and outside interfaces as a source IP for an ARP.
So when I put in an address that I really do not own, my broadband provider must be thinking I am hijacking someone elses IP address... (which I am) and I do not get arp responses...
My issue is this: If the transparent mode firewall was meant to be dropped in to a segment without any network config, it does not succeed in two scenarios: In my situation, and where the segment is a /30 network, because there are no more addresses to use... Can someone state why it cannot(or more properly, 'should not') use two separate IP address, either discovered or programmed, to source arps and pings from? (the inside could use an outside address, and the outside could use an inside address) and while they are at it, let me make a true management IP that is the source for MANAGEMENT, and the optional ability to use another available interface on the PIX for out-of-band management would be a nice thought also.
I will probably end up using it in routed mode, but I was shying away from that becasue I cannot clone the MAC-address of my router and keep my IP when going back and forth during testing (which is needed for my DNS entries for my webserver) Suddenly, that is a very small issue!
Re: Transparent mode Management IP limits functionality?
You've raised a number of interesting points about transparent mode - and having run into similar issues I suspect that only the Cisco developers can answer these questions - we live in hope!
Even with an ASA, when using transparent mode and multiple contexts, the management interface still has to be configured with an IP in the local subnet, hence /30's are a no-no. (and subinterfaces proliferate again...)
I appreciate this isn't answering your question, but sometimes it helps to know others are having similar issues! There are probably perfectly valid reasons why it works the way it does, but I'd also like to know why the management IP has to be in-band.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...