Filter
Top Products
10-2
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter 10 Configuring the Transparent or Routed Firewall
Configuring the Firewall Mode
Information About Routed Firewall Mode
In routed mode, the ASA is considered to be a router hop in the network. It can use OSPF or RIP (in
single context mode). Routed mode supports many interfaces. Each interface is on a different subnet.
You can share interfaces between contexts.
The ASA acts as a router between connected networks, and each interface requires an IP address on a
different subnet. In single context mode, the routed firewall supports OSPF, EIGRP, and RIP. Multiple
context mode supports static routes only. We recommend using the advanced routing capabilities of the
upstream and downstream routers instead of relying on the ASA for extensive routing needs.
Information About Transparent Firewall Mode
Traditionally, a firewall is a routed hop and acts as a default gateway for hosts that connect to one of its
screened subnets. A transparent firewall, on the other hand, is a Layer 2 firewall that acts like a “bump
in the wire,” or a “stealth firewall,” and is not seen as a router hop to connected devices.
This section describes transparent firewall mode and includes the following topics:
• Transparent Firewall Network, page 10-2
• Bridge Groups, page 10-2
• Management Interface (ASA 5510 and Higher), page 10-3
• Allowing Layer 3 Traffic, page 10-3
• Allowed MAC Addresses, page 10-3
• Passing Traffic Not Allowed in Routed Mode, page 10-3
• BPDU Handling, page 10-4
• MAC Address vs. Route Lookups, page 10-4
• Using the Transparent Firewall in Your Network, page 10-5
Transparent Firewall Network
The ASA connects the same network between its interfaces. Because the firewall is not a routed hop, you
can easily introduce a transparent firewall into an existing network.
Bridge Groups
If you do not want the overhead of security contexts, or want to maximize your use of security contexts,
you can group interfaces together in a bridge group, and then configure multiple bridge groups, one for
each network. Bridge group traffic is isolated from other bridge groups; traffic is not routed to another
bridge group within the ASA, and traffic must exit the ASA before it is routed by an external router back
to another bridge group in the ASA. Although the bridging functions are separate for each bridge group,
many other functions are shared between all bridge groups. For example, all bridge groups share a syslog
server or AAA server configuration. For complete security policy separation, use security contexts with
one bridge group in each context.
Note Each bridge group requires a management IP address. The ASA uses this IP address as the source address
for packets originating from the bridge group. The management IP address must be on the same subnet
as the connected network. For another method of management, see the “Management Interface (ASA
5510 and Higher)” section on page 10-3.