1-8
Cisco ASA Series CLI Configuration Guide
 
Chapter 1      Configuring the Transparent or Routed Firewall
  Guidelines and Limitations
Guidelines and Limitations
Context Mode Guidelines
Set the firewall mode per context.
Transparent Firewall Guidelines
• In transparent firewall mode, the management interface updates the MAC address table in the same 
manner as a data interface; therefore you should not connect both a management and a data interface 
to the same switch unless you configure one of the switch ports as a routed port (by default Cisco 
Catalyst switches share a MAC address for all VLAN switch ports). Otherwise, if traffic arrives on 
the management interface from the physically-connected switch, then the ASA updates the 
MAC address table to use the management interface to access the switch, instead of the data 
interface. This action causes a temporary traffic interruption; the ASA will not re-update the MAC 
address table for packets from the switch to the data interface for at least 30 seconds for security 
reasons.
• Each directly-connected network must be on the same subnet.
• Do not specify the bridge group management IP address as the default gateway for connected 
devices; devices need to specify the router on the other side of the ASA as the default gateway.
• The default route for the transparent firewall, which is required to provide a return path for 
management traffic, is only applied to management traffic from one bridge group network. This is 
because the default route specifies an interface in the bridge group as well as the router IP address 
on the bridge group network, and you can only define one default route. If you have management 
traffic from more than one bridge group network, you need to specify a static route that identifies 
the network from which you expect management traffic.
IPv6 Guidelines
Supports IPv6.
Additional Guidelines and Limitations
• When you change firewall modes, the ASA clears the running configuration because many 
commands are not supported for both modes. The startup configuration remains unchanged. If you 
reload without saving, then the startup configuration is loaded, and the mode reverts back to the 
original setting. See the “Setting the Firewall Mode” section on page 1-9 for information about 
backing up your configuration file.
• If you download a text configuration to the ASA that changes the mode with the 
firewall transparent command, be sure to put the command at the top of the configuration; the ASA 
changes the mode as soon as it reads the command and then continues reading the configuration you 
downloaded. If the command appears later in the configuration, the ASA clears all the preceding 
lines in the configuration.