Use the show firewall command to view the
current firewall mode
. The mode will
either be routed or transparent. To set the firewall mode to transparent mode,
use the firewall transparent command in global
configuration mode
. To
restore routed mode, use the no form of this command.
For multiple context mode, only one firewall mode can be used for all
contexts. The mode must be set in the system configuration. This command also
appears in each context configuration for informational purposes only. This
command can not be entered in a context.
When the mode is changed, the
PIX Security Appliance clears the configuration because many commands are not
supported for both modes.
 |
NOTE:
If a configuration already exists, be sure to back up the
configuration before changing the mode. This backup can be used for reference
when creating a new configuration.
|
If a text configuration that changes the mode with the
firewall transparent command is downloaded to the PIX
Security Appliance, be sure to put the command at the top of the configuration.
The PIX changes the mode as soon as it reads the command, and then continues
reading the configuration that was downloaded. If the command is later in the
configuration, the PIX clears all the preceding lines in the configuration.
A transparent firewall does not participate in IP routing. The only IP
configuration required for the PIX Security Appliance is to set the management
IP address
. This address is
required because the PIX uses this address as the source address for traffic
originating on the PIX, such as system messages or communications with AAA
servers. This address can also be used for remote management access. This
address must be on the same subnet as the upstream and downstream routers. For
multiple context mode, set the management IP address within each context.
ACLs
The transparent firewall can allow any traffic through using
either an extended access list, for IP traffic,
or an EtherType
access list, for non-IP traffic [5]. For example, routing protocol adjacencies
can be established through a transparent firewall. OSPF, RIP, EIGRP, or BGP
traffic can be allowed through based on an extended access list. Protocols like
HSRP or VRRP can also pass through the PIX Security Appliance.
For
features that are not directly supported on the transparent firewall, traffic
can be allowed to pass through so that upstream and downstream routers can
support the functionality. For example, by using an extended access list, DHCP
traffic, instead of the unsupported DHCP relay feature, or multicast traffic
such as that created by IP/TV can be allowed.
To configure an access list
that controls traffic based on its EtherType use the access-list
ethertype command in global configuration mode
.
Because
EtherTypes are connectionless, the ACL must be applied to both interfaces for
traffic to pass in both directions.
The PIX Security Appliance can control any EtherType identified by a 16-bit
hexadecimal number. EtherType ACLs support Ethernet V2 frames. 802.3-formatted
frames are not handled by the ACL because they use a length field as opposed to
a type field. Bridge protocol data units, which are handled by the ACL, are the
only exception. They are SNAP-encapsulated, and the PIX is designed to
specifically handle BPDUs.
Only one ACL of each type, extended and
EtherType, can be applied to each direction of an interface. The same ACLs can
be applied on multiple interfaces.
Predefined ethertypes are as
follows:
- ipx
- bpdu
- mpls
- Other Ethernet V2/DIX-encapsulated frames can be allowed based on their
2-byte ethertype.
- 802.3-encapsulated frames cannot pass through the firewall at this
time.
ARP Inspection
ARP inspection prevents malicious users from
impersonating, or spoofing, other hosts or routers. ARP spoofing can enable a
man-in-the-middle attack. Configure static ARP entries using the
arp command before enabling ARP inspection
. When ARP
inspection is enabled, the PIX Security Appliance compares the MAC address, IP
address, and source interface in all ARP packets to static entries in the ARP
table, and takes the following actions:
- If the IP address, MAC address, and source interface match an ARP entry,
the packet is passed through.
- If there is a mismatch between the MAC address, the IP address, or the
interface, then the PIX Security Appliance drops the packet.
- If the ARP packet does not match any entries in the static ARP table, then
the PIX Security Appliance can be set to either flood the packet out all
interfaces, or to drop the packet.
 |
NOTE:
The management-specific interface, if present, never floods packets
even if this parameter is set to flood.
|