why ip address is required in transparent mode

sebastan_bach · ‎01-12-2006

i have configured pix in transparent mode. the pix is learning the mac address of both the inside and outside host. both the end host have learned each other's mac address. but the pix doesn't forward data from the inside host to the outside. as soon as i give management ip address to the pix . everything works fine . does anyone know why is the ip address important even in transparent mode. what role it plays in the arp flooding . thank u to all in advance.

sebastan

mheusinger · ‎01-13-2006

Hello,

to cite another post:

"Even though transparent mode acts as a bridge, Layer 3 traffic, such as IP traffic, cannot pass through the security appliance. The transparent firewall, however, can allow any traffic through using either an extended access list (for IP traffic) or an EtherType access list (for non-IP traffic).The only traffic allowed through the transparent firewall without an access list is ARP traffic. You need to apply the access-list on both the interfaces."

prasadrp - http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Firewalling&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.1dda1bc2

I would also suggest to follow the discussion there as it might answer most of your questions quickly.

Hope this helps! Please rate all posts

Martin

sebastan_bach · ‎01-13-2006

hi there thanks for ur instant response. i gave an ip address to the pix of the same subnet as the inside and the outside host. the moment i give the ip address to the pix. the inside host can ping the outside without any access-list . as by default even in transparent mode the pix still allows packet flow from higher interface to the lower interface without any access-list and inspects the packet and allows the return traffic.to allow traffic initiating from the outside host to the inside host an access-list has to be applied on the outside interface and it works fine.my question is why the pix needs a ip address to do this this.without the ip address the pix learns the mac-address of both the host but does not create the arp table.when the ip address is assigned to the pix and u ping from the inside host to the outside host the pix creates the arp table. what is the role of this ip address in the scenario.and how does does it help in the packet flow and why it is required without which u cannot ping from the inside to the outside even with an access-list permitting everything on both the interfaces. waiting for ur reply. thank u

sebastan

mheusinger · ‎01-13-2006

Well,

in the end this is a software design question only the developper can answer.

In case you want to say: "the software of the PIX could be written to behave the same with or without IP configured!" - yes I agree. From a networking perspective the "IP in the middle" is not needed. The PIX could behave like a switch - let everything pass - or like a firewall blocking everything with or without IP.

So in my opinion the only thing to do is to accept how the device is operating and make the best of it.

The questions you are asking are valid questions though. I can only answer them from an "OSI model" perspective, as I did above. Why the software deleloppers have decided to implement it like this - only they can answer it.

Hope this helps! Please rate all posts.

Regards, Martin

sebastan_bach · ‎01-14-2006

hi martin thanks for ur answer. even i had come to the same conclusion that probably it's the way it's designed.hi martin here's my yahoo id and msn id .sebastan_bach@yahoo and sebastan_bach@hotmail.com. what's ur's we can chat online also.hope to see u online . bye

sebastan