5-2
Cisco ASA 5500 Series Configuration Guide using ASDM
OL-20339-01
Chapter 5 Configuring the Transparent or Routed Firewall
Configuring the Firewall Mode
Information About Routed Firewall Mode
In routed mode, the adaptive security appliance is considered to be a router hop in the network. It can
use OSPF or RIP (in single context mode). Routed mode supports many interfaces. Each interface is on
a different subnet. You can share interfaces between contexts.
The adaptive security appliance acts as a router between connected networks, and each interface requires
an IP address on a different subnet. In single context mode, the routed firewall supports OSPF, EIGRP,
and RIP. Multiple context mode supports static routes only. We recommend using the advanced routing
capabilities of the upstream and downstream routers instead of relying on the adaptive security appliance
for extensive routing needs.
Information About Transparent Firewall Mode
Traditionally, a firewall is a routed hop and acts as a default gateway for hosts that connect to one of its
screened subnets. A transparent firewall, on the other hand, is a Layer 2 firewall that acts like a “bump
in the wire,” or a “stealth firewall,” and is not seen as a router hop to connected devices.
This section describes transparent firewall mode and includes the following topics:
• Transparent Firewall Network, page 5-2
• Allowing Layer 3 Traffic, page 5-2
• Allowed MAC Addresses, page 5-2
• Passing Traffic Not Allowed in Routed Mode, page 5-3
• BPDU Handling, page 5-3
• MAC Address vs. Route Lookups, page 5-3
• Using the Transparent Firewall in Your Network, page 5-4
Transparent Firewall Network
The adaptive security appliance connects the same network on its inside and outside interfaces. Because
the firewall is not a routed hop, you can easily introduce a transparent firewall into an existing network.
Allowing Layer 3 Traffic
IPv4 and IPv6 traffic is allowed through the transparent firewall automatically from a higher security
interface to a lower security interface, without an access list. ARPs are allowed through the transparent
firewall in both directions without an access list. ARP traffic can be controlled by ARP inspection. For
Layer 3 traffic travelling from a low to a high security interface, an extended access list is required on
the low security interface. See Chapter 30, “Configuring Access Rules,” for more information.
Allowed MAC Addresses
The following destination MAC addresses are allowed through the transparent firewall. Any MAC
address not on this list is dropped.
• TRUE broadcast destination MAC address equal to FFFF.FFFF.FFFF
• IPv4 multicast MAC addresses from 0100.5E00.0000 to 0100.5EFE.FFFF
• IPv6 multicast MAC addresses from 3333.0000.0000 to 3333.FFFF.FFFF
• BPDU multicast address equal to 0100.0CCC.CCCD
To Next Page
Loading...
Need help?
General
