-
ASDM 6.0 User Guide
-
Preface
-
Welcome to ASDM
-
Defining Preferences and Using Configuration, Diagnostic, and File Management Tools
-
Before You Start
-
Using the Startup Wizard
-
Configuring Interfaces
-
Configuring Interfaces in Multiple Mode
-
Configuring Switch Ports and VLAN Interfaces for the Cisco ASA 5505 Adaptive Security Appliance
-
Adding Global Objects
-
Configuring Security Contexts
-
Configuring Device Settings and Management
-
DHCP, DNS and WCCP Services
-
Configuring AAA Servers and User Accounts
-
Configuring Management Access
-
High Availability
-
Configuring Logging
-
Configuring Dynamic And Static Routing
-
Configuring Multicast Routing
-
Firewall Mode Overview
-
Configuring Access Rules
-
Configuring EtherType Rules
-
Configuring AAA Rules
-
Configuring Filter Rules
-
Configuring Service Policy Rules
-
Configuring Application Layer Protocol Inspection
-
Configuring NAT
-
Configuring ARP Inspection and Bridging Parameters
-
Configuring Advanced Firewall Protection
-
Configuring QoS
-
VPN
-
SSL VPN Wizard
-
IKE
-
General
-
Configuring Dynamic Access Policies
-
Clientless SSL VPN
-
Clientless SSL VPN End User Set-up
-
E-Mail Proxy
-
Configuring SSL Settings
-
Configuring Certificates
-
Configuring IPS
-
Configuring Trend Micro Content Security
-
Monitoring Logging
-
Monitoring Trend Micro Content Security
-
Monitoring Failover
-
Monitoring Interfaces
-
Monitoring Routing
-
Monitoring VPN
-
Monitoring Properties
-
Feature Licenses and Specifications
-
Configuring an External Server for Authorization and Authentication
-
Index
-
Table Of Contents
Passing Traffic Not Allowed in Routed Mode
Using the Transparent Firewall in Your Network
Transparent Firewall Guidelines
Unsupported Features in Transparent Mode
Firewall Mode Overview
This chapter describes how the firewall works in each firewall mode. To set the mode at the CLI, see the "Setting Transparent or Routed Firewall Mode at the CLI" section on page 3-4.
This chapter includes the following sections:
Routed Mode Overview
In routed mode, the security appliance is considered to be a router hop in the network. It can use OSPF or RIP (in single context mode). Routed mode supports many interfaces. Each interface is on a different subnet. You can share interfaces between contexts.
This section includes the following topics:
IP Routing Support
The security appliance acts as a router between connected networks, and each interface requires an IP address on a different subnet. In single context mode, the routed firewall supports OSPF and RIP. Multiple context mode supports static routes only. We recommend using the advanced routing capabilities of the upstream and downstream routers instead of relying on the security appliance for extensive routing needs.
Transparent Mode Overview
Traditionally, a firewall is a routed hop and acts as a default gateway for hosts that connect to one of its screened subnets. A transparent firewall, on the other hand, is a Layer 2 firewall that acts like a "bump in the wire," or a "stealth firewall," and is not seen as a router hop to connected devices.
This section describes transparent firewall mode, and includes the following topics:
•
Passing Traffic Not Allowed in Routed Mode
•
•
•
•
Transparent Firewall Network
The security appliance connects the same network on its inside and outside interfaces. Because the firewall is not a routed hop, you can easily introduce a transparent firewall into an existing network.
Allowing Layer 3 Traffic
IPv4 traffic is allowed through the transparent firewall automatically from a higher security interface to a lower security interface, without an access list. ARPs are allowed through the transparent firewall in both directions without an access list. ARP traffic can be controlled by ARP inspection. For Layer 3 traffic travelling from a low to a high security interface, an extended access list is required.
Allowed MAC Addresses
The following destination MAC addresses are allowed through the transparent firewall. Any MAC address not on this list is dropped.
•
•
•
•
•
Passing Traffic Not Allowed in Routed Mode
In routed mode, some types of traffic cannot pass through the security appliance even if you allow it in an access list. The transparent firewall, however, can allow almost any traffic through using either an extended access list (for IP traffic) or an EtherType access list (for non-IP traffic).
Note
For example, you can establish routing protocol adjacencies through a transparent firewall; you can allow OSPF, RIP, EIGRP, or BGP traffic through based on an extended access list. Likewise, protocols like HSRP or VRRP can pass through the security appliance.
Non-IP traffic (for example AppleTalk, IPX, BPDUs, and MPLS) can be configured to go through using an EtherType access list.
For features that are not directly supported on the transparent firewall, you can allow traffic to pass through so that upstream and downstream routers can support the functionality. For example, by using an extended access list, you can allow DHCP traffic (instead of the unsupported DHCP relay feature) or multicast traffic such as that created by IP/TV.
MAC Address vs. Route Lookups
When the security appliance runs in transparent mode without NAT, the outgoing interface of a packet is determined by performing a MAC address lookup instead of a route lookup. Route statements can still be configured, but they only apply to security appliance-originated traffic. For example, if your syslog server is located on a remote network, you must use a static route so the security appliance can reach that subnet.
An exception to this rule is when you use voice inspections and the endpoint is at least one hop away from the security appliance. For example, if you use the transparent firewall between a CCM and an H.323 gateway, and there is a router between the transparent firewall and the H.323 gateway, then you need to add a static route on the security appliance for the H.323 gateway for successful call completion.
If you use NAT, then the security appliance uses a route lookup instead of a MAC address lookup. In some cases, you will need static routes. For example, if the real destination address is not directly-connected to the security appliance, then you need to add a static route on the security appliance for the real destination address that points to the downstream router.
Using the Transparent Firewall in Your Network
Figure 18-1 shows a typical transparent firewall network where the outside devices are on the same subnet as the inside devices. The inside router and hosts appear to be directly connected to the outside router.
Figure 18-1 Transparent Firewall Network
Transparent Firewall Guidelines
Follow these guidelines when planning your transparent firewall network:
•
Unlike routed mode, which requires an IP address for each interface, a transparent firewall has an IP address assigned to the entire device. The security appliance uses this IP address as the source address for packets originating on the security appliance, such as system messages or AAA communications.
The management IP address must be on the same subnet as the connected network. You cannot set the subnet to a host subnet (255.255.255.255).
You can configure an IP address for the Management 0/0 management-only interface. This IP address can be on a separate subnet from the main management IP address.
•
In single mode, you can only use two data interfaces (and the dedicated management interface, if available) even if your security appliance includes more than two interfaces.
•
•
•
•
Unsupported Features in Transparent Mode
Table 18-1 lists the features are not supported in transparent mode.
