Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 

How to configure PIX/ASA in transparent firewall mode

Core issue

Traditionally, a firewall is a routed hop and acts as a default gateway for hosts that connect to one of its screened subnets. A transparent firewall, on the other hand, is a Layer 2 firewall that acts like a "bump in the wire," or a "stealth firewall," and is not seen as a router hop to connected devices. The security appliance connects the same network on its inside and outside ports. Because the firewall is not a routed hop, you can easily introduce a transparent firewall into an existing network; IP readdressing is unnecessary.

Maintenance is facilitated because there are no complicated routing patterns to troubleshoot and no NAT configuration.

Even though transparent mode acts as a bridge, Layer 3 traffic, such as IP traffic, cannot pass through the security appliance unless you explicitly permit it with an extended access list. The only traffic allowed through the transparent firewall without an access list is ARP traffic. ARP traffic can be controlled by ARP inspection.

In routed mode, some types of traffic cannot pass through the security appliance even if you allow it in an access list. The transparent firewall, however, can allow any traffic through using either an extended access list (for IP traffic) or an EtherType access list (for non-IP traffic).

Complete the steps in these guidelines when you plan your transparent firewall network:

  • A management IP address is required; for multiple context mode, an IP address is required for each context. Unlike routed mode, which requires an IP address for each interface, a transparent firewall has an IP address assigned to the entire device. The security appliance uses this IP address as the source address for packets originating on the security appliance, such as system messages or AAA communications. The management IP address must be on the same subnet as the connected network. You cannot set the subnet to a host subnet (255.255.255.255).

  • The transparent security appliance uses an inside interface and an outside interface only. If your platform includes a dedicated management interface, you can also configure the management interface or subinterface for management traffic only. In single mode, you can only use two data interfaces, and the dedicated management interface, if available, even if your security appliance includes more than two interfaces.

  • Each directly connected network must be on the same subnet.

  • Do not specify the security appliance management IP address as the default gateway for connected devices; devices need to specify the router on the other side of the security appliance as the default gateway.

  • For multiple context mode, each context must use different interfaces; you cannot share an interface across contexts.

  • For multiple context mode, each context typically uses a different subnet. You can use overlapping subnets, but your network topology requires router and NAT configuration to make it possible from a routing standpoint.

  • You must use an extended access list to allow Layer 3 traffic, such as IP traffic, through the security appliance. You can also optionally use an EtherType access list in order to allow non-IP traffic through.

These features are not supported in transparent mode:

  • NAT

  • Dynamic routing protocols

  • IPv6

  • DHCP relay

  • Quality of Service

  • Multicast

  • VPN termination for through traffic

Refer to Firewall Mode Overview for more information.

Resolution

In order to set the firewall mode to transparent mode, use the firewall transparent command in global configuration mode. In order to restore routed mode, use the no form of this command.

This example changes the firewall mode to transparent:

hostname(config)#firewall transparent

Usage Guidelines

For multiple context mode, you can use only one firewall mode for all contexts. You must set the mode in the system configuration. This command also appears in each context configuration for informational purposes only; you cannot enter this command in a context.

When you change modes, the security appliance clears the configuration because many commands are not supported for both modes. If you already have a populated configuration, be sure to back up your configuration before changing the mode; you can use this backup for reference when creating your new configuration. If you download a text configuration to the security appliance that changes the mode with the firewall transparent command, be sure to put the command at the top of the configuration; the security appliance changes the mode as soon as it reads the command and then continues reading the configuration you downloaded. If the command is later in the configuration, the security appliance clears all the preceding lines in the configuration.


Selected PIX or Router Commands

Firewall Transparent

2545
Views
0
Helpful
0
Comments