As I am sure you have already seen from the blog on setting up the security device as a Layer 2 device, there are many interesting changes that occur on a PIX or ASA when configured for transparent operations. This blog highlights the major changes and guidelines that you should keep in mind when you opt for this special mode of operation.

  • Number of interfaces – perhaps on of the biggest things you will want to keep in mind is the fact that you are going to be limited on the number of traffic forwarding interfaces you can use when in Layer 2 mode. When you switch to transparent mode, you are limited to the use of two traffic forwarding interfaces. On some ASA models, you may also use your dedicated management interface, but of course, the use of this port is limited for management traffic. Remember also, when in multiple context mode, you cannot share interfaces between contexts like you can when in routed mode.
  • IP addressing – here is another major difference of course. In Layer 2 mode, you will assign a single IP address to the device in Global Configuration mode. This address is for remote management purposes and is required before the device will forward traffic. Once the address is assigned, all interfaces start “listening” on this address to ensure the device is responsive to its administrator. This global IP addressed assigned to the device must be in the same subnet that the forwarding interfaces are participating in. Remember, the transparent firewall is not adding a new network (subnet) to your topology.
  • Default gateway – for traffic sourced from the security device itself, you can configure a default gateway on the transparent device. You can do this with the route 0 0 command.
  • IPv6 support - the transparent firewall does not support IPv6.
  • Non-IP traffic – you can pass non-IP traffic through the Layer 2 Mode device. Note that this is not possible on a security appliance in its default Layer 3 mode.
  • More unsupported features – the Layer 2 mode device does not support – Quality of Service (QoS) or Network Address Translation (NAT).
  • Multicast – the transparent mode device does not offer multicast support, but you can configure Access Control Lists (ACLs) in order to pass multicast traffic through the device.
  • Inspection – with the Layer 2 mode device you can inspect traffic at Layer 2 and above. With the classic routed mode configuration, you can only inspect at Layer 3 and above.
  • VPN support – the transparent mode device does support a site to site VPN configuration, but only for its management traffic.

You can leave a response, or trackback from your own site.

16 Responses to “Transparent Mode Firewall Guidelines”

  1. Maxwell says:


    Thanks for the facts, on the same note transparent functionality on a FWSM is much more interesting with a BVI interfaces playing a major role. You can have combinations of such as mix modes like Context A in Routed mode and Context B in Transparent mode. Anyway it’s a rabbit trail that will never end I guess…..

    yet another interesting fact is adding ACL’s on both interfaces on certain situations such as passing Dynamic protocols, any idea why this type of design in a Cisco transparent firewall ?

  2. To Maxwell – thanks for the great comments in this blog.

    Regarding ACLs on both interfaces…the only documentation I have seen on this states that it is only required for non-TCP and non-UDP traffic since there is absolutely no session information for the state table.

    In my recent testing for the blog, there was no Inside ACL required for through Telnet traffic, but it sounds as if you have already encountered situations where an Inside ACL was required with TCP or UDP-based traffic.

  3. jgbaker says:

    You state “This global IP addressed assigned to the device must be in the same subnet that the forwarding interfaces are participating in.”

    What if the L2 firewall needs to be in a /30 subnet?

  4. To jgbaker:
    Do not forget that you are only assigning a single IP address to the transparent firewall. So my statement may have been a bit misleading. Sorry about that.

  5. Alex Ng says:

    Starting with ASA/PIX 8.0(2), NAT/PAT is supported in the transparent firewall.

  6. roby says:

    I do not have understand if the IP address assigned to the BVI interface MUST be in the same broardcast domain where the transparent firewall works.

  7. Yeah – be careful – it does. This is because there is no “typical” routing function going on. So if you want to implement the device in the subnet of your organization, assign the switch an address from that space.

  8. cisco asa says:

    I was going to implement a transparent mode ASA on one of my networks and I’m glad I found your guidelines on this post. I didn’t know transparent mode does not support IPv6 which is something we were going to implement in the future.

    Thanks for the info.


  9. UCIPv6 says:

    Is IPv6 transparent mode supported in the ASA 8.2?

  10. Saurabh says:

    why the ASA in transparent mode should be preferred over ASA in Routed mode for Multicast traffic when the my production applications use multicast ?

  11. Patrick says:

    I have a rather unorthodox setup that I’m trying to insert an ASA 5505 in transparent mode in to and could use some help:
    I have two discontiguos /25 subnets (.1.0 and .2.128) running on vlan’d (3Com, ugh) switches. The top switch has L3 addresses for the vlans (I’ll call them .1.125 and .2.253) and those addresses are used as the def gw for the hosts in the subnets. The switch’s def gw is vlan 1′s interface on the connected router (.1.126).
    The switch is connected to the router (which I do not have administrative control of) by two connections: one to e0/0 for vlan 1 (.1.126) and one to e0/1 for vlan 2 (.2.254).
    The reasoning behind this is that as I don’t have control of the router, I can ensure my subnets communicate even if the router goes down (which it frequently does). When traffic from the .2.128 net leaves the LAN for the router it does so through the .1.126 interface, with the reply traffic coming back in through the .2.254 interface.
    I put the ASA in transparent mode, gave it an IP on .2.128, assigned e0/0-1 to inside and e0/6-7 to outside. 0 and 1 connect to the switch, 6 and 7 to the router. No traffic will pass.
    Any help would be great! Thanks, Patrick

  12. Patrick says:

    Wow… never mind. HUGE brain fart. Who in their right mind numbers ports from right to left (7-0) instead of left to right (0-7)!?
    (I had the inside and outside reversed) :-|

  13. We have all been there!

    Be sure not to forget IEOC.COM for support in the future.

    Many more looking to help with questions than the blog!

  14. Jim Watt says:

    I’d be interested on thoughts on mixed routed and transparent mode on an ASA5550. Cisco claim this is possible but I can find no evidence of this in the documentation.
    To Summise we are looking at a solution where a proposal has been made based on a combination of the two modes with some contexts using one set of intereaces in transparent mode and one context using another set of interfaces in routed mode.

  15. Berta Gurka says:

    Thanks a lot you regarding all of the support

  16. Chuong Pham says:

    Hi all,
    Would you please explain why there must be a management IP before the Transparent firewall can forward traffic? At the moment, I have 3 x Bridge Groups configured. 1 of them has a Management IP assigned and is used as managment interface for the context. The other two bridge-groups had no management IPs. I have BGP routers running on the inside and outside. I have noticed some issues and suspected that I do need management IP for these two “user plane” bridge groups due to the need to do ARP and Ping to find MAC addresses, but I am not sure whether what I am thinking is correct. Can anyone please help?


Leave a Reply


CCIE Bloggers