Cisco Systems ASA 5510 Network Router User Manual


  Open as PDF
of 2086
 
10-4
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter 10 Configuring the Transparent or Routed Firewall
Configuring the Firewall Mode
multicast traffic such as that created by IP/TV. You can also establish routing protocol adjacencies
through a transparent firewall; you can allow OSPF, RIP, EIGRP, or BGP traffic through based on an
extended access list. Likewise, protocols like HSRP or VRRP can pass through the ASA.
BPDU Handling
To prevent loops using the Spanning Tree Protocol, BPDUs are passed by default. To block BPDUs, you
need to configure an EtherType access list to deny them. If you are using failover, you might want to
block BPDUs to prevent the switch port from going into a blocking state when the topology changes.
See the “Transparent Firewall Mode Requirements” section on page 65-11 for more information.
MAC Address vs. Route Lookups
When the ASA runs in transparent mode, the outgoing interface of a packet is determined by performing
a MAC address lookup instead of a route lookup.
Route lookups, however, are necessary for the following traffic types:
Traffic originating on the ASA—For example, if your syslog server is located on a remote network,
you must use a static route so the ASA can reach that subnet.
Traffic that is at least one hop away from the ASA with NAT enabled—The ASA needs to perform
a route lookup; you need to add a static route on the ASA for the real host address.
Voice over IP (VoIP) traffic with inspection enabled, and the endpoint is at least one hop away from
the ASA—For example, if you use the transparent firewall between a CCM and an H.323 gateway,
and there is a router between the transparent firewall and the H.323 gateway, then you need to add
a static route on the ASA for the H.323 gateway for successful call completion.
VoIP or DNS traffic with inspection enabled, with NAT enabled, and the embedded address is at least
one hop away from the ASA—To successfully translate the IP address inside VoIP and DNS packets,
the ASA needs to perform a route lookup; you need to add a static route on the ASA for the real host
address that is embedded in the packet.