Mac Address Vs. Route Lookups; Using The Transparent Firewall In Your Network - Cisco 7604 Configuration Manual

Chapter 5 Configuring the Firewall Mode

MAC Address vs. Route Lookups

When the FWSM runs in transparent mode without NAT, the outgoing interface of a packet is determined
by performing a MAC address lookup instead of a route lookup. Route statements can still be configured,
but they only apply to FWSM-originated traffic. For example, if your syslog server is located on a remote
network, you must use a static route so the FWSM can reach that subnet.
An exception to this rule is when you use voice inspections and the endpoint is at least one hop away
from the FWSM. For example, if you use the transparent firewall between a CCM and an H.323 gateway,
and there is a router between the transparent firewall and the H.323 gateway, then you need to add a static
route on the FWSM for the H.323 gateway for successful call completion.
If you use NAT, then the FWSM uses a route lookup instead of a MAC address lookup. In some cases,
you will need static routes. For example, if the real destination address is not directly-connected to the
FWSM, then you need to add a static route on the FWSM for the real destination address that points to
the downstream router.

Using the Transparent Firewall in Your Network

Figure 5-6
as the inside devices. The inside router and hosts appear to be directly connected to the outside router.
Figure 5-6
Network A
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
OL-20748-01
shows a typical transparent firewall network where the outside devices are on the same subnet
Transparent Firewall Network
Internet
10.1.1.1
FWSM Management IP
10.1.1.2
10.1.1.3
192.168.1.2
Network B
Transparent Mode Overview
5-9