Sep
28

This blog will examine the basic setup of the transparent firewall feature available with the PIX and the ASA. This blog was based on the PIX-525 running 7.2(4) code with a Restricted license in GNS3. Here is the topology that was used:

Remember, that a transparent firewall resides WITHIN a subnet and is easy to implement in an existing network where re-addressing to introduce a firewall might be difficult. This configuration is sometimes known as a “stealth” firewall or a “bump on the wire”. Thanks to the fact that the firewall lives within the subnet, instead of between it, the device has the ability to filter traffic between hosts within the subnet. Note that the traditional Layer 3 firewall can only filter traffic moving between subnets. This should remind you of the difference between a VLAN Access Control List versus a Router-based Access Control List.
Well, with the introductions out of the way, let’s do what we love best, let’s get to the command line.
The first thing I will do is configure and verify the transparent firewall feature and then name our PIX:

pixfirewall> en
Password:
pixfirewall# conf t
pixfirewall(config)#  firewall transparent
pixfirewall(config)# show firewall
Firewall mode: Transparent
pixfirewall(config)# hostname LAYER2FIREWALL
LAYER2FIREWALL(config)#

Excellent, now that the firewall is in transparent mode, let’s take care of the inside and outside interfaces. When in transparent mode, you are limited to the use of two interfaces for passing traffic. Notice how the interfaces are not configured with IP addresses.

LAYER2FIREWALL(config)# int e1
LAYER2FIREWALL(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
LAYER2FIREWALL(config-if)# no shut
LAYER2FIREWALL(config-if)# exit
LAYER2FIREWALL(config)# int e0
LAYER2FIREWALL(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
LAYER2FIREWALL(config-if)# no shut
LAYER2FIREWALL(config-if)# sh int ip brief
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0                  unassigned      YES unset  up                    up
Ethernet1                  unassigned      YES unset  up                    up
Ethernet2                  unassigned      YES unset  administratively down up
Ethernet3                  unassigned      YES unset  administratively down up
Ethernet4                  unassigned      YES unset  administratively down up

I am sure this output looks a little strange for those of you that have not played with this feature. Just as unusual is the fact that all of the interfaces facing this device are addressed in the 10.0.0.0/24 subnet.

A requirement of the transparent firewall is that it must have an IP address assigned in global configuration mode for management access.  Notice for verification we can see that our traffic forwarding interfaces are now “listening” on that IP address:

LAYER2FIREWALL(config)# ip address 10.0.0.22 255.255.255.0
LAYER2FIREWALL(config)# sh int ip brief
Interface                  IP-Address      OK? Method Status                Protocol
Ethernet0                  10.0.0.22       YES unset  up                    up 
Ethernet1                  10.0.0.22       YES unset  up                    up 
Ethernet2                  unassigned      YES unset  administratively down up 
Ethernet3                  unassigned      YES unset  administratively down up 
Ethernet4                  unassigned      YES unset  administratively down up

Let us now test the “out of the box” functionality of the security device. I will initiate a Telnet session from the Inside interface to a device located on the Outside interface. This communication should be permitted due to the Adaptive Security Algorithm and the default security levels on our interfaces. Notice how we can easily verify the connection of the appliance.

R1#telnet 10.0.0.10
Trying 10.0.0.10 ... Open
User Access Verification
Password:
R0>
LAYER2FIREWALL(config)# show conn
1 in use, 1 most used
TCP outside 10.0.0.10:23 inside 10.0.0.1:25501, idle 0:00:03, bytes 102, flags UIO

Let’s now permit Telnet connections from our management workstation (played by R2) and ensure we have connectivity to the PIX.

LAYER2FIREWALL(config)# telnet 10.0.0.20 255.255.255.255 Inside
R2#telnet 10.0.0.22
Trying 10.0.0.22 ... Open
User Access Verification
Password:
Type help or '?' for a list of available commands.
LAYER2FIREWALL>

Well, I am sure I will blog more on this Layer 2 firewall at a later point, but I sure do thank you for stopping by to read this initial post.


You can leave a response, or trackback from your own site.

11 Responses to “Transparent Firewall – Things That Go Bump on the Wire!”

 
  1. Maxwell says:

    Hi,

    is it always necessary to have a default route on the transparent firewall? can you please advice the reason behind it ?

    in multiple context mode when you put the FW to transparent you cant share the interfaces like in Routed mode , any reason why ?

    Regards
    Maxwell Noel

  2. Hi Maxwell!
    The default route you see on a transparent firewall is to set the default gateway for the local security appliance. This is to handle local traffic generated by the appliance that needs to go off the local subnet. A great example is when the device is relying to queries from a remote network management station.
    Great job identifying the fact that interfaces in multiple context mode cannot be shared between contexts like in routed mode! I have never seen Cisco document why, but my guess would be that there are fewer ways in which to distinguish which packets are destined for which interfaces when in Layer 2 mode.
    Thanks for reading, and I am sitting in Jury Duty right now composing another Transparent Mode post…look for it later today!

  3. Ouajih OUAJA says:

    Hi,

    I guess that the firewall can not share interfaces in transparent mode because the tiebraker that the classifier will use to classify packet is NAT !. This feature is not supported in L2 mode at least in vesion 7.2! (Perhaps in version 8.x, witch support NAT).

    Even the layer 2 classification ( whne sharing outside interface ) will not work since the outside interface has not an IP address. The firewall will switch the allowed packet beween interfaces ( so it keep th eoriginal mac-address ).

    Could you please explain more what do you mean by : “Note that the traditional Layer 3 firewall can only filter traffic moving between subnets”. Does this mean that the L3 firewall features will not work for the L3 VLAN connected to the 2 interfaces ?

    Last, very happy to see you on this blog but not happy at all to see Netg dissparing from cisco PEC !

    HTH

    Regards

  4. To Ouajih:

    Yes, we can have VLAN interfaces on the ASA, but note that the Adaptive Security Algorithm does not kick in until we are moving between subnets in Layer 3 mode on the device. Here are some quotes from the Configuration Guide:

    “Logical VLAN interfaces—In routed mode, these interfaces forward traffic between VLAN networks at Layer 3, using the configured security policy to apply firewall and VPN services. In transparent mode, these interfaces forward traffic between the VLANs on the same network at Layer 2, using the configured security policy to apply firewall services. See the “Maximum Active VLAN Interfaces for Your License” section for more information about the maximum VLAN interfaces. VLAN interfaces let you divide your equipment into separate VLANs, for example, home, business, and Internet VLANs.

    To segregate the switch ports into separate VLANs, you assign each switch port to a VLAN interface. Switch ports on the same VLAN can communicate with each other using hardware switching. But when a switch port on VLAN 1 wants to communicate with a switch port on VLAN 2, then the adaptive security appliance applies the security policy to the traffic and routes or bridges between the two VLANs.”

  5. Cisco Guy says:

    Thanks for the great post. I will search your blog to find more posts about transparent firewall. I’m interested to find out how to enforce security rules with ACLs. Is this the same as Routed Mode?

  6. To Cisco Guy:

    Thanks so much for reading! If it were not for our many readers…we would never blog :-(

    Yes – you are going to be using Access Control Lists on the transparent firewall to control access through it. You can also use EtherType-based ACLs to filter IP- and non-IP-based traffic.

    I think I should do a Part II on this one soon and demonstrate some typical ACL configurations!

    Thanks again for reading!

  7. sheik says:

    Hi,
    I have cisco asa 5505 with IOS 8 , it is stange i can not name the interface with the nameif command , unless i create a vlan’s and name it . in such case how the traffic will flow between the vlan note i am using the firewall in Trnasparent mode .

  8. Ibrahim Hudhaif says:

    Ok, R1 and R1 are two below the firewall. but where did you come up with 10.0.0.10? I am confused!

  9. R1 is telnetting to R0.

    10.0.0.10 is the IP address of R0.

  10. Watch Treme says:

    Greetings, I look at all your articles, keep them coming.

  11. Yiannis says:

    @sheik, I believe you’ll have your question answered, but here is the answer. On the 5505 you cannot “nameif” an interface but a VLAN (also the security level should be configured on the VLAN.
    rgds,
    Yiannis

 

Leave a Reply

Categories

CCIE Bloggers