Network and Security administrators working on new setup or migration of applications/services may face challenge of configuring Cisco ASA in transparent mode in order to have minimal design changes and to meet some key Business requirements like support for non-IP traffic,minimal change to IP address structure and Routing etc.
This article will help understand the Transparent Mode in cisco ASA Firewall and how to configure the same.
1st lets understand what we are getting out by using Firewall in Transparent mode –
BENEFITS OF USING FIREWALL IN TRANSPARENT MODE –
- No change to existing IP addressing or Servers.
- Routing protocols can establish adjacencies through the firewall
- Protocols such as HSRP, VRRP, GLBP can pass.
- Multicast streams can traverse the firewall
- Non-IP traffic can be allowed (IPX, MPLS, BPDUs
KEY CHARACTERISTICS OF ASA FIREWALL WHEN CONFIGURED IN TRANSPARENT MODE –
- Transparent firewall mode supports only two interfaces (inside and outside)
- The firewall bridges packets from one VLAN to the other instead of routing them.
- MAC lookups are performed instead of routing table lookups.
- Can run in single firewall context or in multiple firewall contexts.
- A management IP address is required on the ASA.
- The management IP address must be in the same subnet as the connected network.
- Each interface of the ASA must be a different VLAN interface.
- Even though the appliance acts as a Layer 2 bridge, Layer 3 traffic cannot pass through the security appliance from a lower security level to a higher security level interface.
- The firewall can allow any traffic through by using normal extended Access Control Lists (ACL).
SOME OF FEATURES TRANSPARENT MODE DOES NOT SUPPORT ARE –
- DHCP relay – The transparent firewall can act as a DHCP server, but it does not support the DHCP relay commands.
- Dynamic routing protocols will not be allowed , however we can add static routes for traffic originating on the ASA
- Multicast IP routing
- VPN termination – The transparent firewall supports site-to-site VPN tunnels for management connections only and not for non-management connections.
An example will help viewers understand the concept and configuration required in Transparent mode –
The Step by Step configuration of ASA Firewall is shown below –
Step 1 –
In configuration mode, execute the command firewall transparent:
Next, assign physical interfaces to VLANs using the switchport access command and enable the physical interfaces with the no shutdown command:
Step 3 –
After configuring the physical interfaces, you must configure the VLAN interfaces by giving them names and assigning them to the same bridge-group:
Step 4 –
Now, you’ll configure the management IP address through the Bridge Virtual Interface (BVI): Now the firewall is ready to be used on transparent mode .