Firewall Modes Part 4 – Transparent Operational Considerations

VN:F [1.9.6_1107]
Rating: 5.0/5 (1 vote cast)
By Anthony Sequeira on June 5th, 2011

Here are facts you should be aware of once you have your Cisco ASA properly configured in Transparent mode:

  • As you would expect, IPv4 and IPv6 traffic is permitted through the ASA from a higher security interface to a lower security interface without a corresponding access list entry. For traffic flowing from the outside in, an extended access control list entry must exist.
  • ARP traffic is permitted to flow in both directions on the device by default. You can control ARP from a security perspective using ARP inspection. The next post in this series will examine ARP inspection in great detail.
  • There are particular destination MAC addresses that are allowed through the Transparent firewall by default. The addresses are:
    • The broadcast destination MAC address of FFFF.FFFF.FFFF
    • IPv4 and IPv6 multicast destination MAC addresses
    • The BPDU multicast destination MAC address
    • The AppleTalk multicast destination MAC address
  • In some environments, engineers want the Transparent mode to block BPDUs. This is accomplished by denying this traffic in an extended access control list.
  • The Transparent firewall can allow more types of traffic through than when the device is in Routed mode. Extended access control lists are used for IP traffic, while EtherType access lists can be used for non-IP traffic forms.
  • The Transparent mode ASA cannot pass CDP (Cisco Discovery Protocol) packets.
  • Remember that in Transparent mode, your firewall is now using MAC lookups instead of route lookups in order to forward traffic. There are cases, however, where you need to add static routes to the Transparent device in order to perform route lookups for traffic. The classic case is where you need to route traffic originating from your ASA. For example, perhaps you are sending log information to a Syslog server. Another case is VoIP traffic that you are inspecting and the destination is one or more hops away from the ASA. Finally, another case where a static route is needed is for either VoIP or DNS traffic that is being inspected and NATed. Unless the host is directly connected in this case, you need to add a static route for the real host address embedded in the NATed packet.

Anthony Sequeira CCIE, CCSI
Twitter: @compsolv
Facebook: http://www.facebook.com/compsolv

Firewall Modes Part 4 - Transparent Operational Considerations, 5.0 out of 5 based on 1 rating
Share and Enjoy:
  • RSS
  • Twitter
  • Facebook
  • Google Bookmarks
  • Digg
  • Print
  • Technorati
  • Slashdot
  • LinkedIn
  • del.icio.us
  • Reddit
  • Sphinn
  • Mixx
  • Blogplay
  • Netvibes
  • NewsVine
  • Live
  • Ping.fm
  • MySpace
  • Yahoo! Bookmarks
  • Yahoo! Buzz

Tags: , , , , , , , , ,

This entry was posted on Sunday, June 5th, 2011 at 9:30 am and is filed under Ask the Expert, CCIE, Security, Strategy, Techtorials. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Leave a Reply