Cisco Transparent

Setting up Cisco Firewalls for Transparent Mode

Routed and Transparent Mode

  • Cisco PIX OS >= 7.x and Cisco ASA firewalls have the ability to switch from the traditional Routed Mode(layer 3/4) to what is called Transparent mode, operating as a "Bump in the Wire" at layer 2. Traditionally, a firewall is a routed hop and acts as a default gateway for the host(s) behind it. Transparent mode, on the other hand, is a "stealth" firewall and is not seen as a router hop to connected devices, even though it sits in-line.
  • Transparent mode firewall does not perform NAT and only has one IP address bound for all interfaces, used exclusively for management.

Configuration of a Transparent mode Cisco firewall

  • Unlike routed mode, which requires an IP address on each interface, transparent mode has one IP address bound for all interfaces. The firewall uses this IP address as the source address for packets originating on the firewall itself, such as snmp, aaa, and so on (management traffic)
  • The management IP address MUST be on the same subnet as the connected network.
  • The transparent firewall uses ONLY two interfaces on the firewall for "inside" and "outside", even if more physical interfaces exist.
  • Each directly connected network must be on the same subnet. This does not mean that secondary IP blocks cannot be routed to the server, this is still possible in transparent mode however since no NAT is taking place, the secondary subnet would be routed directly to the server just as if the firewall was not present.
  • Devices behind the firewall should retain normal network configurations, with the router as the default gateway.

Unsupported features/commands in Transparent mode

  • NAT (NAT is performed on the upstream router)
  • VPN Termination
  • Dynamic Routing Protocols (RIP, OSPF, etc.)
  • QoS
  • IPv6
  • DHCP relay
  • Multicast

How data moves through the transparent firewall

  • 1. A user from the outside requests a webpage from an inside web server
  • 2. The transparent firewall receives the requests and adds the source MAC address to the MAC address table. Because it is a new session, the packet is verified that it is allowed per the acccess-list applied.
  • 3. If the destination MAC address is in the firewall's table, the firewall forwards the packet out the inside interface.
    • If the destination MAC address is not in the firewall's table, an ARP request and a ping are sent out by the firewall. In this case, the first packet is dropped.
  • 4. When the inside web server responds to the request, the firewall adds the web server's MAC address to it's table, if required, and because the session is already established, the packet bypasses the lookups associated with a new connection.

Specifics in the configuration

  • Transparent mode is actually very simple to configure and requires very little maintanence.
  • In the case of using a PIX 515E running PIX OS 7.x (which is required, remember?), the following command will switch the firewall from the default/traditional "Routed" mode to Transparent:



ciscopix(config)# firewall transparent
  • The above command will RESET the configuration on the firewall, which means you will lose any network connectivity currently setup.
  • Now, since the firewall only uses one IP address for all interfaces, there is very little configuration changes needed for each interface. Simply:
ciscopix(config)# int fa0/0
ciscopix(config-if)# no shut
ciscopix(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ciscopix(config-if)# int fa0/1
ciscopix(config-if)# no shut
ciscopix(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscopix(config-if)# exit
ciscopix(config)# ip address x.x.x.x y.y.y.y
ciscopix(config)# route outside x.x.x.z
  • The above configuration completes the network configuration on the firewall.
  • Full Transparent Config:
ciscoasa# show conf
: Saved
: Written by enable_15 at 22:00:58.970 UTC Tue May 1 2007
ASA Version 7.0(6)
firewall transparent
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
name dllstx2
name dllstx4
name dllstx5
name ev1-noc
name ev1-noc2
name ev1-noc4
name ev1-noc7
name ev1-dc
name ev1-webtech
name hstntx2-ipalert
name hstntx2-phase2
name hstntx1
name hstntx1-ipalert
interface Ethernet0/0
nameif outside
security-level 0
interface Ethernet0/1
nameif inside
security-level 100
interface Ethernet0/2
no nameif
no security-level
interface Ethernet0/3
no nameif
no security-level
interface Management0/0
no nameif
no security-level
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
object-group network theplanet_ips
network-object dllstx2
network-object dllstx5
network-object dllstx4
network-object ev1-noc
network-object ev1-noc2
network-object hstntx2-ipalert
network-object ev1-noc4
network-object hstntx1-ipalert
network-object hstntx2-phase2
network-object ev1-noc7
network-object ev1-dc
network-object ev1-webtech
network-object hstntx1
network-object hstntx1-ipalert
access-list 101 extended permit ip any any
access-list 101 extended permit icmp any any
access-list 101 extended permit ip object-group theplanet_ips any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address x.x.x.x 255.255.255.x
no failover
asdm image disk0:/asdm506.bin
no asdm history enable
arp timeout 14400
access-group 101 in interface outside
route outside x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (outside) host
timeout 5
key kn0ck!
aaa-server TACACS+ (outside) host
timeout 5
key kn0ck!
aaa authentication http console TACACS+
aaa authentication telnet console TACACS+
aaa authentication ssh console TACACS+
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh outside
ssh timeout 5
console timeout 0
class-map inspection_default
match default-inspection-traffic
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global



  • That's it. Now we can put the firewall in-line between the router and the host(s)