Traditionally, a firewall is a routed hop and acts as a default
gateway for hosts that connect to one of its screened subnets. A transparent
firewall, on the other hand, is a Layer 2 firewall that acts like a bump in the
wire, or a stealth firewall, and is not seen as a router hop to connected
devices
. The PIX
Security Appliance connects the same network on the inside and outside ports,
but each interface resides on a different VLAN.
Note the following:
- Transparent mode only supports two interfaces, typically an inside
interface and an outside interface.
- Transparent mode can run both in single and multiple mode.
- The PIX Security Appliance bridges packets from one VLAN to the other
instead of routing them.
- MAC lookups are performed instead of routing table lookups.
Because the PIX Security Appliance is not a routed hop, it is easy to
introduce a transparent firewall into an existing network. IP readdressing is
unnecessary
.
Maintenance is facilitated because there are no complicated routing patterns to
troubleshoot and no NAT configuration.
Even though transparent mode acts
as a bridge, Layer 3 traffic, such as IP traffic, cannot pass through the PIX
Security Appliance. The transparent firewall, however, can allow any traffic
through using either an extended access list, for IP traffic, or an EtherType
access list, for non-IP traffic.The only traffic allowed through the
transparent firewall without an access list is ARP traffic. ARP traffic can be
controlled by ARP inspection.
 |
NOTE:
The transparent PIX Security Appliance does not pass Cisco Discovery
Protocol (CDP) packets.
|
Due to the fact the PIX Security Appliance is now acting a bridge,
device IP addressing should be configured as if the PIX in not in the network.
A management IP address is required for connectivity to and from the PIX
itself. The management IP address must be on the same subnet as the connected
network
. Keep in mind
that as a layer 2 device the PIX interfaces must be on different VLANs to
differentiate the traffic flow.
The following features are not supported
in transparent mode
:
-
NAT – NAT is performed on the upstream router.
-
Dynamic routingprotocols – The administrator can, however,
add static routes for traffic originating on the PIX Security Appliance.
Dynamic routing protocols can be allowed through the PIX using an extended
access list.
- IPv6
-
DHCPrelay – The transparent firewall can act as a DHCP
server, but it does not support the DHCP relay commands. DHCP relay is not
required because DHCP traffic can be allowed to pass through using an extended
access list.
-
Qualityof Service
-
Multicast – The administrator can, however, allow multicast traffic
through the PIX Security Appliance by allowing it in an extended access
list.
-
VPNtermination for through traffic – The transparent
firewall supports site-to-site VPN tunnels for management connections only. It
does not terminate VPN connections for traffic through the PIX Security
Appliance. VPN traffic cannot pass through the PIX using an extended access
list, but it does not terminate non-management connections.