5-3
Cisco ASA 5500 Series Configuration Guide using ASDM
OL-20339-01
Chapter 5      Configuring the Transparent or Routed Firewall
  Configuring the Firewall Mode
• AppleTalk multicast MAC addresses from 0900.0700.0000 to 0900.07FF.FFFF
Passing Traffic Not Allowed in Routed Mode
In routed mode, some types of traffic cannot pass through the adaptive security appliance even if you 
allow it in an access list. The transparent firewall, however, can allow almost any traffic through using 
either an extended access list (for IP traffic) or an EtherType access list (for non-IP traffic).
Note The transparent mode adaptive security appliance does not pass CDP packets packets, or any packets that 
do not have a valid EtherType greater than or equal to 0x600. For example, you cannot pass IS-IS 
packets. An exception is made for BPDUs, which are supported.
For example, you can establish routing protocol adjacencies through a transparent firewall; you can 
allow OSPF, RIP, EIGRP, or BGP traffic through based on an extended access list. Likewise, protocols 
like HSRP or VRRP can pass through the adaptive security appliance.
Non-IP traffic (for example AppleTalk, IPX, BPDUs, and MPLS) can be configured to go through using 
an EtherType access list.
For features that are not directly supported on the transparent firewall, you can allow traffic to pass 
through so that upstream and downstream routers can support the functionality. For example, by using 
an extended access list, you can allow DHCP traffic (instead of the unsupported DHCP relay feature) or 
multicast traffic such as that created by IP/TV.
BPDU Handling
To prevent loops using the spanning tree protocol, BPDUs are passed by default. To block BPDUs, you 
need to configure an EtherType access list to deny them.
MAC Address vs. Route Lookups
When the adaptive security appliance runs in transparent mode, the outgoing interface of a packet is 
determined by performing a MAC address lookup instead of a route lookup.
Route lookups, however, are necessary for the following traffic types:
• Traffic originating on the adaptive security appliance—For example, if your syslog server is located 
on a remote network, you must use a static route so the adaptive security appliance can reach that 
subnet.
• Voice over IP (VoIP) traffic with inspection enabled, and the endpoint is at least one hop away from 
the adaptive security appliance—For example, if you use the transparent firewall between a CCM 
and an H.323 gateway, and there is a router between the transparent firewall and the H.323 gateway, 
then you need to add a static route on the adaptive security appliance for the H.323 gateway for 
successful call completion.
• VoIP or DNS traffic with NAT and inspection enabled—To successfully translate the IP address 
inside VoIP and DNS packets, the adaptive security appliance needs to perform a route lookup. 
Unless the host is on a directly-connected network, then you need to add a static route on the 
adaptive security appliance for the real host address that is embedded in the packet.