Configure Transparent Firewall Mode
Enable transparent firewall mode

Use the show firewall command to view the current firewall mode . The mode will either be routed or transparent. To set the firewall mode to transparent mode, use the firewall transparent command in global configuration mode . To restore routed mode, use the no form of this command.

For multiple context mode, only one firewall mode can be used for all contexts. The mode must be set in the system configuration. This command also appears in each context configuration for informational purposes only. This command can not be entered in a context.

When the mode is changed, the PIX Security Appliance clears the configuration because many commands are not supported for both modes.

NOTE:

If a configuration already exists, be sure to back up the configuration before changing the mode. This backup can be used for reference when creating a new configuration.

If a text configuration that changes the mode with the firewall transparent command is downloaded to the PIX Security Appliance, be sure to put the command at the top of the configuration. The PIX changes the mode as soon as it reads the command, and then continues reading the configuration that was downloaded. If the command is later in the configuration, the PIX clears all the preceding lines in the configuration.

A transparent firewall does not participate in IP routing. The only IP configuration required for the PIX Security Appliance is to set the management IP address . This address is required because the PIX uses this address as the source address for traffic originating on the PIX, such as system messages or communications with AAA servers. This address can also be used for remote management access. This address must be on the same subnet as the upstream and downstream routers. For multiple context mode, set the management IP address within each context.

ACLs
The transparent firewall can allow any traffic through using either an extended access list, for IP traffic, or an EtherType access list, for non-IP traffic [5]. For example, routing protocol adjacencies can be established through a transparent firewall. OSPF, RIP, EIGRP, or BGP traffic can be allowed through based on an extended access list. Protocols like HSRP or VRRP can also pass through the PIX Security Appliance.

For features that are not directly supported on the transparent firewall, traffic can be allowed to pass through so that upstream and downstream routers can support the functionality. For example, by using an extended access list, DHCP traffic, instead of the unsupported DHCP relay feature, or multicast traffic such as that created by IP/TV can be allowed.

To configure an access list that controls traffic based on its EtherType use the access-list ethertype command in global configuration mode .

Because EtherTypes are connectionless, the ACL must be applied to both interfaces for traffic to pass in both directions.

The PIX Security Appliance can control any EtherType identified by a 16-bit hexadecimal number. EtherType ACLs support Ethernet V2 frames. 802.3-formatted frames are not handled by the ACL because they use a length field as opposed to a type field. Bridge protocol data units, which are handled by the ACL, are the only exception. They are SNAP-encapsulated, and the PIX is designed to specifically handle BPDUs.

Only one ACL of each type, extended and EtherType, can be applied to each direction of an interface. The same ACLs can be applied on multiple interfaces.

Predefined ethertypes are as follows:

  • ipx
  • bpdu
  • mpls
  • Other Ethernet V2/DIX-encapsulated frames can be allowed based on their 2-byte ethertype.
  • 802.3-encapsulated frames cannot pass through the firewall at this time.

ARP Inspection
ARP inspection prevents malicious users from impersonating, or spoofing, other hosts or routers. ARP spoofing can enable a man-in-the-middle attack. Configure static ARP entries using the arp command before enabling ARP inspection . When ARP inspection is enabled, the PIX Security Appliance compares the MAC address, IP address, and source interface in all ARP packets to static entries in the ARP table, and takes the following actions:

  • If the IP address, MAC address, and source interface match an ARP entry, the packet is passed through.
  • If there is a mismatch between the MAC address, the IP address, or the interface, then the PIX Security Appliance drops the packet.
  • If the ARP packet does not match any entries in the static ARP table, then the PIX Security Appliance can be set to either flood the packet out all interfaces, or to drop the packet.
NOTE:

The management-specific interface, if present, never floods packets even if this parameter is set to flood.


Web Links