Configure Transparent Firewall Mode
Transparent firewall mode overview

Traditionally, a firewall is a routed hop and acts as a default gateway for hosts that connect to one of its screened subnets. A transparent firewall, on the other hand, is a Layer 2 firewall that acts like a bump in the wire, or a stealth firewall, and is not seen as a router hop to connected devices . The PIX Security Appliance connects the same network on the inside and outside ports, but each interface resides on a different VLAN.

Note the following:

  • Transparent mode only supports two interfaces, typically an inside interface and an outside interface.
  • Transparent mode can run both in single and multiple mode.
  • The PIX Security Appliance bridges packets from one VLAN to the other instead of routing them.
  • MAC lookups are performed instead of routing table lookups.

Because the PIX Security Appliance is not a routed hop, it is easy to introduce a transparent firewall into an existing network. IP readdressing is unnecessary . Maintenance is facilitated because there are no complicated routing patterns to troubleshoot and no NAT configuration.

Even though transparent mode acts as a bridge, Layer 3 traffic, such as IP traffic, cannot pass through the PIX Security Appliance. The transparent firewall, however, can allow any traffic through using either an extended access list, for IP traffic, or an EtherType access list, for non-IP traffic.The only traffic allowed through the transparent firewall without an access list is ARP traffic. ARP traffic can be controlled by ARP inspection.

NOTE:

The transparent PIX Security Appliance does not pass Cisco Discovery Protocol (CDP) packets.

Due to the fact the PIX Security Appliance is now acting a bridge, device IP addressing should be configured as if the PIX in not in the network. A management IP address is required for connectivity to and from the PIX itself. The management IP address must be on the same subnet as the connected network . Keep in mind that as a layer 2 device the PIX interfaces must be on different VLANs to differentiate the traffic flow.

The following features are not supported in transparent mode :

  • NAT – NAT is performed on the upstream router.
  • Dynamic routingprotocols – The administrator can, however, add static routes for traffic originating on the PIX Security Appliance. Dynamic routing protocols can be allowed through the PIX using an extended access list.
  • IPv6
  • DHCPrelay – The transparent firewall can act as a DHCP server, but it does not support the DHCP relay commands. DHCP relay is not required because DHCP traffic can be allowed to pass through using an extended access list.
  • Qualityof Service
  • Multicast – The administrator can, however, allow multicast traffic through the PIX Security Appliance by allowing it in an extended access list.
  • VPNtermination for through traffic – The transparent firewall supports site-to-site VPN tunnels for management connections only. It does not terminate VPN connections for traffic through the PIX Security Appliance. VPN traffic cannot pass through the PIX using an extended access list, but it does not terminate non-management connections.

Web Links