Setting up Cisco Firewalls for Transparent Mode
Routed and Transparent Mode
- Cisco PIX OS >= 7.x and Cisco ASA firewalls have the ability to switch from the traditional Routed Mode(layer 3/4) to what is called Transparent mode, operating as a "Bump in the Wire" at layer 2. Traditionally, a firewall is a routed hop and acts as a default gateway for the host(s) behind it. Transparent mode, on the other hand, is a "stealth" firewall and is not seen as a router hop to connected devices, even though it sits in-line.
- Transparent mode firewall does not perform NAT and only has one IP address bound for all interfaces, used exclusively for management.
Configuration of a Transparent mode Cisco firewall
- Unlike routed mode, which requires an IP address on each interface, transparent mode has one IP address bound for all interfaces. The firewall uses this IP address as the source address for packets originating on the firewall itself, such as snmp, aaa, and so on (management traffic)
- The management IP address MUST be on the same subnet as the connected network.
- The transparent firewall uses ONLY two interfaces on the firewall for "inside" and "outside", even if more physical interfaces exist.
- Each directly connected network must be on the same subnet. This does not mean that secondary IP blocks cannot be routed to the server, this is still possible in transparent mode however since no NAT is taking place, the secondary subnet would be routed directly to the server just as if the firewall was not present.
- Devices behind the firewall should retain normal network configurations, with the router as the default gateway.
Unsupported features/commands in Transparent mode
- NAT (NAT is performed on the upstream router)
- VPN Termination
- Dynamic Routing Protocols (RIP, OSPF, etc.)
- DHCP relay
How data moves through the transparent firewall
- 1. A user from the outside requests a webpage from an inside web server
- 2. The transparent firewall receives the requests and adds the source MAC address to the MAC address table. Because it is a new session, the packet is verified that it is allowed per the acccess-list applied.
- 3. If the destination MAC address is in the firewall's table, the firewall forwards the packet out the inside interface.
- If the destination MAC address is not in the firewall's table, an ARP request and a ping are sent out by the firewall. In this case, the first packet is dropped.
- 4. When the inside web server responds to the request, the firewall adds the web server's MAC address to it's table, if required, and because the session is already established, the packet bypasses the lookups associated with a new connection.
Specifics in the configuration
- Transparent mode is actually very simple to configure and requires very little maintanence.
- In the case of using a PIX 515E running PIX OS 7.x (which is required, remember?), the following command will switch the firewall from the default/traditional "Routed" mode to Transparent:
DO NOT APPLY THIS COMMAND ON A LIVE FIREWALL!!!
MAKE SURE YOU ISSUE THIS ON THE CONSOLE ONLY!
ciscopix(config)# firewall transparent
- The above command will RESET the configuration on the firewall, which means you will lose any network connectivity currently setup.
- Now, since the firewall only uses one IP address for all interfaces, there is very little configuration changes needed for each interface. Simply:
ciscopix(config)# int fa0/0
ciscopix(config-if)# no shut
ciscopix(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ciscopix(config-if)# int fa0/1
ciscopix(config-if)# no shut
ciscopix(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscopix(config)# ip address x.x.x.x y.y.y.y
ciscopix(config)# route outside 0.0.0.0 0.0.0.0 x.x.x.z
- The above configuration completes the network configuration on the firewall.
- Full Transparent Config:
ciscoasa# show conf
: Written by enable_15 at 22:00:58.970 UTC Tue May 1 2007
ASA Version 7.0(6)
enable password 8Ry2YjIyt7RRXU24 encrypted
name 22.214.171.124 dllstx2
name 126.96.36.199 dllstx4
name 188.8.131.52 dllstx5
name 184.108.40.206 ev1-noc
name 220.127.116.11 ev1-noc2
name 18.104.22.168 ev1-noc4
name 22.214.171.124 ev1-noc7
name 126.96.36.199 ev1-dc
name 188.8.131.52 ev1-webtech
name 184.108.40.206 hstntx2-ipalert
name 220.127.116.11 hstntx2-phase2
name 18.104.22.168 hstntx1
name 22.214.171.124 hstntx1-ipalert
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
object-group network theplanet_ips
network-object dllstx2 255.255.255.0
network-object dllstx5 255.255.255.0
network-object dllstx4 255.255.255.0
network-object ev1-noc 255.255.255.0
network-object ev1-noc2 255.255.255.192
network-object hstntx2-ipalert 255.255.255.192
network-object ev1-noc4 255.255.255.224
network-object hstntx1-ipalert 255.255.255.192
network-object hstntx2-phase2 255.255.255.192
network-object ev1-noc7 255.255.255.224
network-object ev1-dc 255.255.255.224
network-object ev1-webtech 255.255.255.128
network-object hstntx1 255.255.255.240
network-object hstntx1-ipalert 255.255.255.224
access-list 101 extended permit ip any any
access-list 101 extended permit icmp any any
access-list 101 extended permit ip object-group theplanet_ips any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address x.x.x.x 255.255.255.x
asdm image disk0:/asdm506.bin
no asdm history enable
arp timeout 14400
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (outside) host 126.96.36.199
aaa-server TACACS+ (outside) host 188.8.131.52
aaa authentication http console TACACS+
aaa authentication telnet console TACACS+
aaa authentication ssh console TACACS+
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
inspect dns maximum-length 512
inspect h323 h225
inspect h323 ras
service-policy global_policy global
- That's it. Now we can put the firewall in-line between the router and the host(s)