Guest

Cisco ASA 5500-X Series Next-Generation Firewalls

ASA FAQ: Can a transparent mode ASA be configured without an IP address on the bridge group?

Techzone Article content

Document ID: 116407

Updated: Jul 23, 2013

Contributed by David White, Cisco TAC Engineer.

   Print

Introduction

This document answers a frequently asked question about the Cisco Adaptive Security Appliance (ASA).

Can a transparent mode ASA be configured without an IP address on the bridge group?

No, a transparent mode ASA must be configured with an IP address for each Layer 2 bridge group.

Besides using the IP for any traffic sourced from the ASA, the ASA must ARP or send out an ICMP message in order to determine out of which interface the destination MAC resides (if the MAC address is not in the ASA CAM table). Without a valid IP address assigned to the ASA that is in the same IP subnet as adjacent devices, traffic might fail to pass through the transparent ASA since the ARP and ICMP process cannot complete.

Related Information

Updated: Jul 23, 2013
Document ID: 116407