- Information about ASA Transparent Mode
Transparent firewall mode transforms ASA into a layer 2 bridging device. In transparent mode the firewall is not a routed hop and the firewall acts as a "bump in the wire". In transparent mode the security appliance connects the same network on its inside and outside ports. Because the firewall is not a routed hop, you can easily introduce a transparent firewall into an existing network; it is unnecessary to re-address IP.
Even though the transparent mode acts as a bridge, Layer 3 traffic, such as IP traffic, cannot pass through the security appliance unless you explicitly permit it with an extended access list. The only traffic allowed through the transparent firewall without an access list is ARP traffic. ARP traffic can be controlled by ARP inspection.
When the security appliance runs in transparent mode, the outbound interface of a packet is determined by a MAC address lookup instead of a route lookup. Route statements can still be configured, but they only apply to security appliance-originated traffic.
Unlike routed mode, which requires an IP address for each interface, a transparent firewall has an IP address assigned to the entire device.
The transparent security appliance uses an inside interface and an outside interface only. If your platform includes a dedicated management interface, you can also configure the management interface or subinterface for management traffic only.
For multiple context mode, each context must use different interfaces; you cannot share an interface across contexts.
When ASA firewall modes are changed (from routed to transparent and viceversa) the adaptive security appliance clears the configuration.
- Configuration
firewall transparent
interface BVI1
ip address 192.168.1.3 255.255.255.0
interface GigabitEthernet0
nameif inside
bridge-group 1
security-level 100
interface GigabitEthernet1
nameif outside
bridge-group 1
security-level 0
The firewall will forward frames based on destination MAC addresses.
In transparent mode like in routed mode the firewall will perform stateful inspection of the traffic that pass from the higher to lower security zone by default.
As exception some layer 2 traffic is permitted to move from the lower security zone.
- Default allowed MAC Addresses
TRUE broadcast destination MAC address equal to FFFF.FFFF.FFFF
IPv4 multicast MAC addresses from 0100.5E00.0000 to 0100.5EFE.FFFF
IPv6 multicast MAC addresses from 3333.0000.0000 to 3333.FFFF.FFFF
BPDU multicast address equal to 0100.0CCC.CCCD
AppleTalk multicast MAC addresses from 0900.0700.0000 to 0900.07FF.FFFF
- ARP inspection
By default, all ARP packets are allowed through the security appliance.
ARP inspection prevents malicious users from impersonating other hosts or routers (known as ARP spoofing)
ARP inspection ensures that an attacker cannot send an ARP response with the attacker MAC address, so long as the correct MAC address and the associated IP address are in the static ARP table.
ARP inspection compares ARP packets with static ARP entries in the ARP table.
arp inside 192.168.1.1 ca00.2ae2.001c
To enable ARP inspection, enter the following command:
arp-inspection interface_name enable [flood | no-flood]
Where flood forwards non-matching ARP packets out all interfaces, and no-flood drops non-matching packets.
- Ether-type Access List
In routed mode, some types of traffic cannot pass through the security appliance even if you allow it in an access list. Alternatively, the transparent firewall can allow any traffic through with either an extended access list (for IP traffic) or an EtherType access list (for non-IP traffic).
To allow any traffic with EtherTypes other than IPv4 and ARP, you need to apply an EtherType access list, even from a high security to a low security interface.
Because EtherTypes are connectionless, you need to apply the access list to both interfaces if you want traffic to pass in both directions.
access-list access_list_name ethertype {deny | permit} {ipx | bpdu | mpls-unicast | mpls-multicast | any | hex_number}
any keyword specifies access to anyone.
bpdu keyword specifies access to bridge protocol data units, which are permitted by default.
deny keyword denies access if the conditions are matched. If an EtherType access list is configured to deny all, all ethernet frames are discarded. Only physical protocol traffic, such as auto-negotiation, is still allowed.
hex_number argument indicates any Ethertype that can be identified by a 16-bit hexadecimal number greater than or equal to 0x600. (See RFC 1700, "Assigned Numbers," for a list of EtherTypes.)
ipx keyword specifies access to IPX.
mpls-multicast keyword specifies access to MPLS multicast.
mpls-unicast keyword specifies access to MPLS unicast.
permit keyword permits access if the conditions are matched.
Hi,
ReplyDeleteEnterprise today install firewalls that do close monitoring of sessions between external and internal hosts and devices. A patented ASA algorithm utilizes source IP address, destination IP address, TCP sequence numbers, port numbers and TCP flags to examine and prevent unauthorized sessions.
network firewall appliance