Cart
After reading the overview and the guidelines for the Transparent Mode of operation here at the IPexpert Blog, you should be ready to deploy an ASA in Transparent mode if your design requirements warrant it. Keep in mind that when you make this very drastic configuration change on the device, the ASA will clear its running configuration. Why does it do this you might ask? Very valid question. The ASA clears the running configuration because so many of the commands that could potentially be there are not supported in Transparent mode. We discussed this fact in the Guidelines document. For example, your Transparent mode device does not support dynamic routing protocols, including Multicast routing.
The startup configuration is retained. Be careful about this. For example, if you make the cut over to Transparent mode and then fail to save the configuration, upon a reboot your device will load the startup config and revert to the Routed mode of operation. This could prove to be an unwelcome surprise and a great amount of support calls.
What we recommend is that you copy out your running/startup and use them for a reference. You can paste in the snippets once you cut over. These snippets will be the features that you still require and that are supported in the Transparent mode.
Be sure you are connected to the device using the console port. Why? Well, if you attempt this cut over using any other method (including the popular SSH), you are going to get disconnected when the change occurs and you will need console port access anyway.
It is amazing with the CLI how powerful some of the more simple commands can be. In fact, with this command and with the dramatic changes that are about to take place, you are not even warned about anything after executing the command. Here is how you move to Transparent mode:
hostname(config)# firewall transparent
Should you change your mind at a later point and want to cut back over to Routed mode, it is simply a matter of negating the command:
hostname(config)# no firewall transparent
Remember, you must do this in the main system execution space. You are not able to have different security contexts on the device operating in different modes. It would be fun, but do not try it. At this point, it is not supported.
Thanks for reading, and I hope you join us for future posts where we look at these modes and their operation in more detail.
Anthony Sequeira CCIE, CCSI
Twitter: @compsolv
Facebook: http://www.facebook.com/compsolv
Tags: ASA, CCIE Security 3.0, Cisco, firewall, lab, Security, training
