Filter
Top Products
15-5
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter 15 Completing Interface Configuration (Transparent Mode, 8.4 and Later)
Guidelines and Limitations
Guidelines and Limitations
This section includes the guidelines and limitations for this feature.
Context Mode Guidelines
• For the ASA 5510 and higher in multiple context mode, configure the physical interfaces in the
system execution space according to Chapter 12, “Starting Interface Configuration
(ASA 5510 and Higher).” Then, configure the logical interface parameters in the context execution
space according to this chapter.
The ASA 5505 does not support multiple context mode.
• You can only configure context interfaces that you already assigned to the context in the system
configuration.
Firewall Mode Guidelines
• You can configure up to 8 bridge groups in single mode or per context in multiple mode. Note that
you must use at least 1 bridge group; data interfaces must belong to a bridge group.
Note Although you can configure multiple bridge groups on the ASA 5505, the restriction of 2
data interfaces in transparent mode on the ASA 5505 means you can only effectively use 1
bridge group.
• Each bridge group can include up to 4 interfaces.
• For IPv4, a management IP address is required for each bridge group for both management traffic
and for traffic to pass through the ASA.
Unlike routed mode, which requires an IP address for each interface, a transparent firewall has an
IP address assigned to the entire bridge group. The ASA uses this IP address as the source address
for packets originating on the ASA, such as system messages or AAA communications. In addition
to the bridge group management address, you can optionally configure a management interface for
some models; see the “Management Interface” section on page 12-2 for more information.
The management IP address must be on the same subnet as the connected network. You cannot set
the subnet to a host subnet (255.255.255.255). The ASA does not support traffic on secondary
networks; only traffic on the same network as the management IP address is supported. See the
“Configuring Bridge Groups” section on page 15-7 for more information about management IP
subnets.
• For IPv6, at a minimum you need to configure link-local addresses for each interface for through
traffic. For full functionality, including the ability to manage the ASA, you need to configure a
global IPv6 address for each bridge group.
• For multiple context mode, each context must use different interfaces; you cannot share an interface
across contexts.
• For multiple context mode, each context typically uses a different subnet. You can use overlapping
subnets, but your network topology requires router and NAT configuration to make it possible from
a routing standpoint.
1. The maximum number of combined interfaces; for example, VLANs, physical, redundant, bridge group, and EtherChannel interfaces.