Loading ...As I am sure you have already seen from the blog on setting up the security device as a Layer 2 device, there are many interesting changes that occur on a PIX or ASA when configured for transparent operations. This blog highlights the major changes and guidelines that you should keep in mind when you opt for this special mode of operation.
- Number of interfaces - perhaps on of the biggest things you will want to keep in mind is the fact that you are going to be limited on the number of traffic forwarding interfaces you can use when in Layer 2 mode. When you switch to transparent mode, you are limited to the use of two traffic forwarding interfaces. On some ASA models, you may also use your dedicated management interface, but of course, the use of this port is limited for management traffic. Remember also, when in multiple context mode, you cannot share interfaces between contexts like you can when in routed mode.
- IP addressing - here is another major difference of course. In Layer 2 mode, you will assign a single IP address to the device in Global Configuration mode. This address is for remote management purposes and is required before the device will forward traffic. Once the address is assigned, all interfaces start “listening” on this address to ensure the device is responsive to its administrator. This global IP addressed assigned to the device must be in the same subnet that the forwarding interfaces are participating in. Remember, the transparent firewall is not adding a new network (subnet) to your topology.
- Default gateway - for traffic sourced from the security device itself, you can configure a default gateway on the transparent device. You can do this with the route 0 0 command.
- IPv6 support - the transparent firewall does not support IPv6.
- Non-IP traffic - you can pass non-IP traffic through the Layer 2 Mode device. Note that this is not possible on a security appliance in its default Layer 3 mode.
- More unsupported features - the Layer 2 mode device does not support - Quality of Service (QoS) or Network Address Translation (NAT).
- Multicast - the transparent mode device does not offer multicast support, but you can configure Access Control Lists (ACLs) in order to pass multicast traffic through the device.
- Inspection - with the Layer 2 mode device you can inspect traffic at Layer 2 and above. With the classic routed mode configuration, you can only inspect at Layer 3 and above.
- VPN support - the transparent mode device does support a site to site VPN configuration, but only for its management traffic.
You state “This global IP addressed assigned to the device must be in the same subnet that the forwarding interfaces are participating in.”
What if the L2 firewall needs to be in a /30 subnet?
Hi Anthony,
Thanks for the facts, on the same note transparent functionality on a FWSM is much more interesting with a BVI interfaces playing a major role. You can have combinations of such as mix modes like Context A in Routed mode and Context B in Transparent mode. Anyway it’s a rabbit trail that will never end I guess…..
yet another interesting fact is adding ACL’s on both interfaces on certain situations such as passing Dynamic protocols, any idea why this type of design in a Cisco transparent firewall ?
To Maxwell - thanks for the great comments in this blog.
Regarding ACLs on both interfaces…the only documentation I have seen on this states that it is only required for non-TCP and non-UDP traffic since there is absolutely no session information for the state table.
In my recent testing for the blog, there was no Inside ACL required for through Telnet traffic, but it sounds as if you have already encountered situations where an Inside ACL was required with TCP or UDP-based traffic.
To jgbaker:
Do not forget that you are only assigning a single IP address to the transparent firewall. So my statement may have been a bit misleading. Sorry about that.
Starting with ASA/PIX 8.0(2), NAT/PAT is supported in the transparent firewall.