–Transparent and Routed Firewalls–
There are two modes in which you can have your firewall; routed or transparent mode. Each mode will treat the packets differently and operate in its own way. Depending on your requirements of your design you will choose what is best for you. On the release of ASA 9 it is important to know that in each context can be placed in either firewall mode. Before 9.0 code you had to consider your overall design as the mode was persistent across all contexts.
The routed firewall is the default mode for an ASA firewall. It acts as a layer 3 device and is a routed hop; this acts in the same way as a router would. It uses routing protocols and static routes. Forwarding is down with destination IP addresses.
Transparent firewalls are known as Bumps in the Wire. They work purely at layer 2 and is not seen as a hop; opposed to layer 3 routed firewalls which decrement TTL. By bridging interfaces the ASA can forward traffic transparently to the end user/device. It is important to remember there are limitations to transparent firewalls in its capabilities and to keep this in mind when designing networks with Cisco ASA firewall. Forwarding is done with destination MAC addresses.
Features that are not supported are:
- DHCP relay
- Cannot be a DHCP server but can pass relay commands with extended ACL
- VPN termination
- only site-to-site VPN for management is supported.
- Extended ACLs can pass connections.
- SSL VPN is not supported.
- Dynamic/Multicast Routing
- Need ACL to pass traffic.
- Dynamic DNS
Since 8.02 NAT can be performed in transparent mode. This gives more control over traffic. The same rules also apply regarding interface security levels; higher security interfaces can traverse lower security interfaces by default.
To configure the transparent firewall the following needs to occur. Enable transparent firewall, configure bridge group, and configure management.
To set the firewall in transparent mode issue the following
This will immediately restart the firewall. It is wise to save any existing configuration to memory in case a rollback is required. After the reboot your firewall will be in transparent mode.
Next configure the Bridged Virtual Interface and assign interfaces to the group.
interface BVI1ip address 192.168.1.1 255.255.255.0int gi0/1nameif insidebridge-group 1security-level 100no shutint g0/2nameif dmz20bridge-group 1security-level 50no shut
It is important to be aware that the address assigned to the BVI is the management IP. This address will not be seen by traffic transiting across the ASA. Each bridge group can support four interfaces whilst each context can have eight bridge groups. We will discuss contexts later.
The configuration of a static route is to ensure reachability of the management BVI. It is also needed if NAT is being performed or VOIP traffic inspection is enabled.
Transparent Access Rules
Transparent access rules are the same as routed mode. ARP traffic can pass either way through interfaces. It is important that in transparent firewall mode that you use interface ACLs to allow broadcast and multicast traffic.
To allow broadcast traffic will permit protocols such as DHCP, EIGRP, OSPF, RIP, and HSRP to pass through the firewall. An example would be creating an ACL that supports EIGRP. You would require on each interface a permit statement allowing port 88 with the broadcast IP of 22.214.171.124 to enable EIGRP support. Alternatively you can apply this globally.
object-group network EIGRP_MCAST_ADDnetwork-object host 126.96.36.199access-list EIGRP extended permit eigrp any object-group EIGRP_MCAST_ADDaccess-group EIGRP in interface insideaccess-group EIGRP in interface outside
The ASDM configuration window resides at Configuration > Firewall > Access Rules > Add Access Rule.
Depending on the situation the use of transparent or routed firewalls was critical in the design and deployment of ASA firewalls. Scoping and application of placement and requirements is critical to selection of the correct model of firewall. I like the ASA family of firewalls and what they can do and deployment of contextual firewall modes adds to its feature set. It is a shame that licensing can cripple the real use of this technology.
3 thoughts on “Transparent and Routed ASA basics”
Not that I want to destroy my street cred by being soft on cisco’s licensing schemes, but I thought the ASA’s security context licensing wasn’t all that bad. It’s 1 license for the HA pair, and depending on how you’re using the licensing (multi-tenancy vs rule isolation), it works out pretty well.
That said, I run a single HA 5585-X SSP-20 setup and we use the contexts to isolate rules per department or service, not to provide hundreds of tenants self service firewall management. I can see how the licensing would pile up really fast if you had a lot of HA pairs.
Also, worth noting. The licenses in an HA pair are additive, so if you have a L-ASA-SC-20, you actually get 22 contexts in the HA pair. Not enough to tip the scales, but it’s a small consolation prize.