An ASA can be configured to operate in transparent firewall mode, such that it appears to operate as a Layer 2 device, without becoming a router hop or a gateway to its connected networks. This is also knwon as a Layer 2 firewall or a stealth firewall, because the ASA's interfaces have no assigned IP addresses and cannot be detected or manipulated. Only a single management address is used for traffic sourced by the transparent firewall itself or destined for a management session.
As a Layer 2 device, an ASA in transparent firewall mode can be installed or wedged into an existing network, separating the inside and outside without changing any IP address. This is commonly called a "bump-in-the-wire" because the ASA doesn't break or segment the IP subnet along a wire but instead more or less becomes part of the wire. This makes a new installation straigthforward.
You can also think of a transparent mode firewall as a type of transparent bridge, where packets are bridged from one interface to another based only on their MAC addresses. The ASA must maintain a MAC address table of the source address learned in each received packet, along with the interface on which the packet arrived. Once a MAC address has been learned, the ASA is able to forward a packet to that address by knowing the location or the egress interface where that same address has been active before.
Comparison of the Routed and Transparent Firewall Modes
Routed Firewall Mode
* Use only when IP packets are to be inspected.
* Network readdressing is necessary across the ASA.
* All interfaces can be used.
* All ASA interfaces are available.
Transparent Firewall Mode
* Use when non-IP packets must be forwarded.
* Network readdressing is not necessary.
* Only 2-4 interfaces can be used per bridge group.
* The following features are not available:
- Dynamic routing protocols
- Dynamic DNS
- DHCP Relay
- Multicast IP routing
- Quality of service
- VPN termination for transit traffic
Configuring Transparent Firewall Mode
Before you begin configuring transparent firewall mode, you should verify which mode is currently in use. You can do that with the show firewall EXEC command. The ASA runs in default routed (or "router") mode.
ciscoasa# show firewall
Firewall mode: Router
You can enable transparent firewall mode with the following command:
ciscoasa(config)# firewall ?
configure mode commands/options:
transparent Switch to transparent mode
ciscoasa(config)# firewall transparent
ERROR: Password recovery was not changed, unable to access
the configuration register.
COREDUMP UPDATE: open message queue fail: No such file or directory/2
Transparent firewall mode begins immediately and doesn't require a reload; however, because transparent and routed firewall modes uses different approaches to network security, the running configuration will be cleared as soon as transparent mode begins. The idea is to enter transparent firewall mode and build an appropriate configuration from scratch.
For that reason, you should save the routed firewall mode running configuration to flash memory or to an external server before enabling transparent firewall mdoe. That way, you will have a copy of the configuration in case you need to revert to routed firewall mode or refer to some portion of that configuration. Because the configuration is cleared, ASDM does not offer any way to change the firewall mode.
Next, you will need to set aside ASA interfaces and configure them for transparent firewall use. For ASA release 8.4(1) or later, you can configure up to four interfaces as part of a bridge group. With earlier releases, you must use exactly two interfaces - one interface will face the "outside," less secure part of the network, while the other will face the "inside," more secure area.
Configure the interfaces exactly as you would with routed firewall mode, with the exception of any IP addresses, by supplying the following parameters:
* Interface speed and duplex mode
* Interface name
* Security level
* Bridge group number (ASA release 8.4(1) and later)
In ASDM, navigate to Configuration > Device Setup > Interfaces, select an interface, and click Edit.
If you choose to configure interfaces with the CLI instead, you can use the nameif, security-level, and bridge-group interface configuration commands.
ciscoasa(config)# interface gigabitethernet0
ciscoasa(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscoasa(config-if)# bridge-group ?
interface mode commands/options:
<1-100> Group number of this interface
ciscoasa(config-if)# bridge-group 1
ciscoasa(config-if)# no shutdown
ciscoasa(config-if)# interface gigabitethernet1
ciscoasa(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ciscoasa(config-if)# bridge-group 1
ciscoasa(config-if)# no shutdown
Next, assign a single IP address to each bridge group as a whole. This address will be used for management traffic, such as Telnet, SSH, HTTP, SNMP, syslog, TFTP, FTP, and so on. If you configure the ASA for multiple context mode, you should configure one IP address for each bridge group on each security context, including the admin context. From the interface list in ASDM, select Add and choose Bridge Virtual Interface (BVI).
ciscoasa(config-if)# interface ?
configure mode commands/options:
BVI Bridge-Group Virtual Interface
GigabitEthernet GigabitEthernet IEEE 802.3z
Port-channel Ethernet Channel of interfaces
Redundant Redundant Interface
<cr>
ciscoasa(config-if)# interface bvi ?
configure mode commands/options:
<1-100> BVI interface number
ciscoasa(config-if)# interface bvi 1
ciscoasa(config-if)# ip address 192.168.1.1 255.255.255.0
No comments:
Post a Comment