Traditionally, a firewall is a routed hop and acts as a default gateway for hosts that connect to one of its screened subnets. A transparent firewall, on the other hand, is a Layer 2 device that acts like a “bump in the wire,” or a “stealth firewall,” and is not seen as a router hop to connected devices. The security appliance connects the same network on its inside and outside ports, acting as an access-control bridge; you assign different VLANs to each interface, and IP addressing is not used.

Thus, you can easily introduce a transparent firewall into an existing network—IP re-addressing is unnecessary—and maintenance is facilitated because there are no complicated routing patterns to troubleshoot and no NAT configuration.

Although the transparent-mode device acts as a bridge, Layer 3 traffic, such as IP traffic, cannot pass through the security appliance unless you explicitly permit it with specific access rules. The only traffic allowed through a firewall without an access list is ARP traffic, which you can control using ARP inspection, and IPv6 neighbor discovery.

When the security appliance runs in transparent mode, the outgoing interface of a packet is determined by performing a MAC address lookup instead of a route lookup. Route statements can still be configured, but they apply only to security appliance-originated traffic. For example, if your syslog server is located on a remote network, you must use a static route so the security appliance can reach that subnet.

Starting from Cisco Security Manager 4.13, the Bridge-group Virtual Interface (BVI) feature is extended to the routed firewall mode. Routed firewalls are implemented by means of configuring bridge-groups. A user can configure up to eight bridge groups and on an ASA 9.7.1 (Cisco Security Manager 4.13) each group can contain upto 64 interfaces. On versions prior to Cisco Security Manager 4.13, a user can configure a maximum of two bridge groups; with each group containing a maximum limit of four interfaces. In addition to the BVI features supported in the transparent mode, the routed firewall mode includes support for the following additional communication modes:

• Inter BVI communication

• BVI to Data Port communication (Layer 2 to Layer 3) and vice versa

To configure a transparent firewall, use the following policies. When configuring an ASA/PIX/FWSM device in multiple-context mode, configure these policies on each transparent security context.

• Firewall > Access Rules—Access rules control layer 3 and higher traffic using extended access control lists. In routed mode, some types of traffic cannot pass through the security appliance even if you allow it in an access list. For example, you can establish routing protocol adjacencies through a transparent firewall; you can allow OSPF, RIP, EIGRP, or BGP traffic through based on access rules. Likewise, protocols like HSRP or VRRP can pass through the security appliance. However, the transparent-mode security appliance does not pass CDP packets.

For features that are not directly supported on the transparent firewall, you can allow traffic to pass through so that upstream and downstream routers can provide those functions. For example, by using access rules, you can allow DHCP traffic to pass (instead of the unsupported DHCP relay feature), or multicast traffic such as that created by IP/TV.

For more information, see Understanding Access Rules and Configuring Access Rules.

• Firewall > Transparent Rules—Transparent rules control non-IP layer 2 traffic using Ethertype access control lists. For example, you can configure rules to allow AppleTalk, IPX, BPDUs, and MPLS to pass through the device. For more information, see Configuring Transparent Firewall Rules.

• Platform > Bridging > ARP Table, ARP Inspection and IPv6 Neighbor Cache—Use these policies to control the types of ARP and IPv6 traffic allowed through the bridge. If desired, you can configure static ARP and IPv6 neighbor cache entries and drop any traffic not defined by those static rules. Enable ARP inspection so that if a mismatch between the MAC address, the IP address, or the interface occurs, the security appliance drops the packet. This helps prevent ARP spoofing. For more information, see ARP Table Page and ARP Inspection Page.

Note	The ARP Table and IPv6 Neighbor Cache are the only bridging policies available for non-transparent ASA/PIX/FWSM devices.

• Platform > Bridging > MAC Address Table and MAC Learning—Use these policies to configure static MAC-IP address mappings and to enable or disable MAC learning. MAC learning is enabled by default, which allows the appliance to add MAC-IP address mappings as traffic passes through the interface. If you want to prevent all traffic except from static entries, you can disable MAC learning. For more information, see MAC Address Table Page and MAC Learning Page.

• Platform > Bridging > Management IP

• and Platform > Bridging > Management IPv6—Use these policies to configure a management IP address that Security Manager can use to communicate with the device.

Note	The Management IP and Management IPv6 pages are not available on Catalyst 6500 service modules (the Firewall Services Module and the Adaptive Security Appliance Service Module).

If you change the management IP address, you also need to update the device properties for the device or security context. Follow these steps:

• Change the management IP address, save and submit your changes.

• Deploy your changes to the device.

• In Device view, select the device or security context, then select Tools > Device Properties. On the General page, enter the new management IP address in the IP Address field. On the Credentials tab, update the username and password fields with account credentials that can log into the management interface. Security Manager will now use this address and user account for subsequent deployments and device communication.

For more information, see Management IP Page.

Note	From version 4.17, though Cisco Security Manager continues to support FWSM features/functionality, it does not support any bug fixes or enhancements.

Although FWSM 3.1 can support multiple L2 interface pairs, Security Manager lets you specify no more than two L2 interfaces (a single interface pair), and one associated management IP address. That means only one bridge group with two named interfaces associated is provisioned with a management IP address. If the device configuration contains a maximum of one bridge group and two named interfaces, it is valid for discovery. All other scenarios result in an error message and the commands are ignored during discovery. Furthermore, discovery will not show any bridge-group information in Security Manager, although the bridge-group commands will be generated during deployment. Bridge group 1 will be deployed and used in transparent rule policies if no bridge group exists in the device configuration.

Use the ARP Table page to add static ARP entries that map a MAC address to an IP address and identifies the interface through which the host is reached.

Use the ARP Inspection page to configure ARP inspection for a transparent firewall. ARP inspection is used to prevent ARP spoofing.

Use the IPv6 Neighbor Cache page to manage static IPv6 neighbor entries that map a MAC address to an IPv6 address, and identify the interface through which the neighbor host is reached, to provide address-resolution functions for IPv6. This is available on ASA 7.0+ devices only.

Note	The IPv6 Neighbor Cache entries are the IPv6 equivalent of the static ARP entries, managed on the ARP Table Page.

If an entry for a specified IPv6 address already exists in the neighbor discovery cache—learned through the IPv6 neighbor discovery process—the entry is automatically converted to a static entry. Static entries in the IPv6 neighbor discovery cache are not modified by the neighbor discovery process.

The IPv6 Neighbor Cache page is a standard Security Manager table, with Add Row, Edit Row and Delete Row buttons. (These are standard buttons, as described in Using Tables.) The Add Row button opens the Add IPv6 Neighbor Cache Configuration dialog box, and Edit Row opens the Edit IPv6 Neighbor Cache Configuration dialog box. Other than the titles, the two dialog boxes are identical.

Note	Ensure that IPv6 is enabled on at least one interface before trying to add a neighbor.

Use the MAC Address Table page to add static MAC address entries to the MAC Address table. The table associates the MAC address with the source interface so that the security appliance knows to send any packets addressed to the device out the correct interface.

Use the MAC Learning page to enable or disable MAC address learning on an interface. By default, each interface learns the MAC addresses of entering traffic, and the security appliance adds corresponding entries to the MAC address table. You can disable MAC address learning if desired; however, unless you statically add MAC addresses to the table, no traffic can pass through the security appliance.

A transparent firewall does not participate in IP routing. The only IP configuration required for the device is specification of a management IP address, which is used as the source address for traffic originating on the device, such as system messages or communications with AAA servers. You can also use this address for remote-management access.

For IPv4 traffic, the management IP address is required to pass any traffic.

Note	In addition to the management IP address for the device, you can configure an IP address for the Management 0/0 or 0/1 management-only interface. This IP address can be on a separate subnet from the main management IP address.

Use the Management IP page to set the management IP address for a security device, or for a context in transparent firewall mode.

A transparent firewall does not participate in IP routing. The only IP configuration required for the device is specification of a management IP address, which is used as the source address for traffic originating on the device, such as system messages or communications with AAA servers. You can also use this address for remote-management access.

For IPv6 traffic, you must, at a minimum, configure the link-local addresses to pass traffic, but a global management address is recommended for full functionality, including remote management and other management operations. If you configure the global address, a link-local address is automatically configured on each interface, so you do not also need to specifically configure a link-local address. However, if you do not configure a global management address, you need to configure interface link-local addresses, as described in Configuring IPv6 Interfaces (ASA/FWSM). Note that you can configure both IPv6 and IPv4 management addresses on a device.

On an ASA 5505 in transparent mode, use the Management IPv6 page to enable IPv6, configure neighbor solicitation, and manage IPv6 interface addresses.

Note	This page is available only on ASA 5505 version 8.2 and 8.3 devices in transparent mode.