Configure Transparent Firewall Mode
Monitor and maintain a transparent firewall

The PIX Security Appliance learns and builds a MAC address table in a similar way as a normal bridge or switch. When a device sends a packet through the PIX, it adds the MAC address to its table . The table associates the MAC address with the source interface so that the PIX knows to send any packets addressed to the device out the correct interface.

Because the PIX Security Appliance is a firewall, if the destination MAC address of a packet is not in the table, the PIX does not flood the original packet on all interfaces as a normal bridge does. Instead, it generates the following packets for directly connected devices or for remote devices:

  • Packets for directly connected devices – The PIX Security Appliance generates an ARP request for the destination IP address, so that PIX can learn which interface receives the ARP response.
  • Packets for remote devices – The PIX Security Appliance generates a ping to the destination IP address so that the PIX can learn which interface receives the ping reply.

The Original Packet is Dropped.
By default, each interface automatically learns the MAC addresses of entering traffic, and the PIX Security Appliance adds corresponding entries to the MAC address table. MAC address learning can be disabled if desired, however, unless MAC addresses are statically added to the table, no traffic can pass through the PIX .

Normally, MAC addresses are added to the MAC address table dynamically as traffic from a particular MAC address enters an interface. Static MAC addresses can be added to the MAC address table if desired . One benefit to adding static entries is to guard against MAC spoofing. If a client with the same MAC address as a static entry attempts to send traffic to an interface that does not match the static entry, then PIX Security Appliance drops the traffic and generates a system message.

The entire MAC address table, including static and dynamic entries for both interfaces, can be viewed, or the MAC address table for a single interface can be viewed .

Two new debug commands have been introduced with regard to transparent firewall mode :

  • debug arp inspection – Show debug messages for ARP inspection.
  • debug mac-address-table – Shows debug messages for the MAC address table.

Lab Activity

Lab Exercise: Configure a PIX Security Appliance as a Transparent Firewall

In this lab activity, students will configure a PIX Security Appliance is transparent mode.