Firewall Modes Part 2 – Transparent Firewall Guidelines

VN:F [1.9.6_1107]
Rating: 3.3/5 (3 votes cast)
By Anthony Sequeira on May 19th, 2011

In this post in the series, we will examine the many important guidelines to consider with the Transparent Mode feature of the Cisco ASA. Let us get right to it:

  • The first consideration is the fact that with your ASAs (running 8.4 code), you cannot set the Firewall Mode independently for various contexts. You must decide on the mode you will use, and that mode impacts all contexts on the security device.
  • Transparent mode devices are easy to introduce because they do not represent a network hop on the wire. You introduce the device in an existing network. Imagine your inside and outside interfaces being addresses in the same TCP/IP subnet. In fact, this leads to our second guideline, any connected network must be of the same subnet. 
  • In transparent firewall mode, the management interface updates the MAC address table in the same manner as a data interface. You should not connect both a management and a data interface to the same switch unless you configure one of the switch ports as a routed port. This is because by default Cisco Catalyst switches share a MAC address for all VLAN switch ports. Should you not follow this guideline, if traffic arrives on the management interface from the physically-connected switch, the ASA updates the MAC address table to use the management interface to access the switch, instead of the data interface. This action causes a temporary traffic interruption and the ASA will not re-update the MAC address table for packets from the switch to the data interface for at least 30 seconds for security reasons.
  • Do not specify the bridge group management IP address as the default gateway for the hosts behind your transparent mode ASA; these hosts need to specify the router on the other side of the ASA as the default gateway.
  • The default route you configure on the transparent firewall, which is required to provide a return path for management traffic, is only applied to management traffic from one bridge group network. This is because this default route specifies an interface in the bridge group as well as the router IP address on the bridge group network. You can only define one default route. If you have management traffic from more than one bridge group network, you need to specify a static route that identifies the network from which you expect management traffic.
  • If you download a text configuration to the ASA that changes the mode with the firewall transparent command, be sure to put the command at the top of the configuration. The issue here is the ASA changes the mode as soon as it reads the command and then continues reading the configuration you downloaded. If you have the command appear later in your configuration, the ASA might erase lines of configuration due to the Transparent setting.
  • As you might guess, some features of the Cisco ASA will not be supported in Transparent Mode. These include – Dynamic DNS, DHCP Relay, Dynamic Routing Protocols, Multicast IP Routing, QoS, and VPN termination for through traffic.

In the next post in this series, we will examine the configuration of the Transparent Mode firewall in more detail.

Anthony Sequeira CCIE, CCSI
Twitter: @compsolv
Facebook: http://www.facebook.com/compsolv

Firewall Modes Part 2 – Transparent Firewall Guidelines, 3.3 out of 5 based on 3 ratings
Share and Enjoy:
  • RSS
  • Twitter
  • Facebook
  • Google Bookmarks
  • Digg
  • Print
  • Technorati
  • Slashdot
  • LinkedIn
  • del.icio.us
  • Reddit
  • Sphinn
  • Mixx
  • Blogplay
  • Netvibes
  • NewsVine
  • Live
  • Ping.fm
  • MySpace
  • Yahoo! Bookmarks
  • Yahoo! Buzz

Tags: , , , , , , ,

This entry was posted on Thursday, May 19th, 2011 at 9:00 am and is filed under Ask the Expert, CCIE, Security, Strategy, Techtorials. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply