Chapter 5 Configuring The Transparent Or Routed Firewall; Configuring The Firewall Mode; Information About Routed Firewall Mode; Information About Transparent Firewall Mode - Cisco ASA 5505 Configuration Manual
Asa 5500 series
Hide thumbs
Also See for ASA 5505:
- Getting started manual (168 pages) ,
- Administrator's manual (118 pages) ,
- Hardware installation manual (82 pages)
Table of Contents
Advertisement
Configuring the Firewall Mode
Information About Routed Firewall Mode
In routed mode, the adaptive security appliance is considered to be a router hop in the network. It can
use OSPF or RIP (in single context mode). Routed mode supports many interfaces. Each interface is on
a different subnet. You can share interfaces between contexts.
The adaptive security appliance acts as a router between connected networks, and each interface requires
an IP address on a different subnet. In single context mode, the routed firewall supports OSPF, EIGRP,
and RIP. Multiple context mode supports static routes only. We recommend using the advanced routing
capabilities of the upstream and downstream routers instead of relying on the adaptive security appliance
for extensive routing needs.
Information About Transparent Firewall Mode
Traditionally, a firewall is a routed hop and acts as a default gateway for hosts that connect to one of its
screened subnets. A transparent firewall, on the other hand, is a Layer 2 firewall that acts like a "bump
in the wire," or a "stealth firewall," and is not seen as a router hop to connected devices.
This section describes transparent firewall mode and includes the following topics:
•
•
•
•
•
•
•
Transparent Firewall Network
The adaptive security appliance connects the same network on its inside and outside interfaces. Because
the firewall is not a routed hop, you can easily introduce a transparent firewall into an existing network.
Allowing Layer 3 Traffic
IPv4 and IPv6 traffic is allowed through the transparent firewall automatically from a higher security
interface to a lower security interface, without an access list. ARPs are allowed through the transparent
firewall in both directions without an access list. ARP traffic can be controlled by ARP inspection. For
Layer 3 traffic travelling from a low to a high security interface, an extended access list is required on
the low security interface. See
Allowed MAC Addresses
The following destination MAC addresses are allowed through the transparent firewall. Any MAC
address not on this list is dropped.
•
•
•
•
Cisco ASA 5500 Series Configuration Guide using ASDM
5-2
Transparent Firewall Network, page 5-2
Allowing Layer 3 Traffic, page 5-2
Allowed MAC Addresses, page 5-2
Passing Traffic Not Allowed in Routed Mode, page 5-3
BPDU Handling, page 5-3
MAC Address vs. Route Lookups, page 5-3
Using the Transparent Firewall in Your Network, page 5-4
TRUE broadcast destination MAC address equal to FFFF.FFFF.FFFF
IPv4 multicast MAC addresses from 0100.5E00.0000 to 0100.5EFE.FFFF
IPv6 multicast MAC addresses from 3333.0000.0000 to 3333.FFFF.FFFF
BPDU multicast address equal to 0100.0CCC.CCCD
Chapter 5
Chapter 30, "Configuring Access Rules,"
Configuring the Transparent or Routed Firewall
for more information.
OL-20339-01
- Quick Links:
- Starting Asdm
- Downloading the Asdm Launcher
Hide quick links:
Advertisement
Chapters
Table of Contents
