Cisco Transparent

Setting up Cisco Firewalls for Transparent Mode

Routed and Transparent Mode

  • Cisco PIX OS >= 7.x and Cisco ASA firewalls have the ability to switch from the traditional Routed Mode(layer 3/4) to what is called Transparent mode, operating as a "Bump in the Wire" at layer 2. Traditionally, a firewall is a routed hop and acts as a default gateway for the host(s) behind it. Transparent mode, on the other hand, is a "stealth" firewall and is not seen as a router hop to connected devices, even though it sits in-line.
  • Transparent mode firewall does not perform NAT and only has one IP address bound for all interfaces, used exclusively for management.

Configuration of a Transparent mode Cisco firewall

  • Unlike routed mode, which requires an IP address on each interface, transparent mode has one IP address bound for all interfaces. The firewall uses this IP address as the source address for packets originating on the firewall itself, such as snmp, aaa, and so on (management traffic)
  • The management IP address MUST be on the same subnet as the connected network.
  • The transparent firewall uses ONLY two interfaces on the firewall for "inside" and "outside", even if more physical interfaces exist.
  • Each directly connected network must be on the same subnet. This does not mean that secondary IP blocks cannot be routed to the server, this is still possible in transparent mode however since no NAT is taking place, the secondary subnet would be routed directly to the server just as if the firewall was not present.
  • Devices behind the firewall should retain normal network configurations, with the router as the default gateway.

Unsupported features/commands in Transparent mode

  • NAT (NAT is performed on the upstream router)
  • VPN Termination
  • Dynamic Routing Protocols (RIP, OSPF, etc.)
  • QoS
  • IPv6
  • DHCP relay
  • Multicast

How data moves through the transparent firewall

  • 1. A user from the outside requests a webpage from an inside web server
  • 2. The transparent firewall receives the requests and adds the source MAC address to the MAC address table. Because it is a new session, the packet is verified that it is allowed per the acccess-list applied.
  • 3. If the destination MAC address is in the firewall's table, the firewall forwards the packet out the inside interface.
    • If the destination MAC address is not in the firewall's table, an ARP request and a ping are sent out by the firewall. In this case, the first packet is dropped.
  • 4. When the inside web server responds to the request, the firewall adds the web server's MAC address to it's table, if required, and because the session is already established, the packet bypasses the lookups associated with a new connection.

Specifics in the configuration

  • Transparent mode is actually very simple to configure and requires very little maintanence.
  • In the case of using a PIX 515E running PIX OS 7.x (which is required, remember?), the following command will switch the firewall from the default/traditional "Routed" mode to Transparent:

DO NOT APPLY THIS COMMAND ON A LIVE FIREWALL!!!

MAKE SURE YOU ISSUE THIS ON THE CONSOLE ONLY!

ciscopix(config)# firewall transparent
  • The above command will RESET the configuration on the firewall, which means you will lose any network connectivity currently setup.
  • Now, since the firewall only uses one IP address for all interfaces, there is very little configuration changes needed for each interface. Simply:
ciscopix(config)# int fa0/0
ciscopix(config-if)# no shut
ciscopix(config-if)# nameif outside
INFO: Security level for "outside" set to 0 by default.
ciscopix(config-if)# int fa0/1
ciscopix(config-if)# no shut
ciscopix(config-if)# nameif inside
INFO: Security level for "inside" set to 100 by default.
ciscopix(config-if)# exit
ciscopix(config)# ip address x.x.x.x y.y.y.y
ciscopix(config)# route outside 0.0.0.0 0.0.0.0 x.x.x.z
  • The above configuration completes the network configuration on the firewall.
  • Full Transparent Config:
ciscoasa# show conf
: Saved
: Written by enable_15 at 22:00:58.970 UTC Tue May 1 2007
!
ASA Version 7.0(6)
!
firewall transparent
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
name 12.96.160.0 dllstx2
name 67.19.0.0 dllstx4
name 70.84.160.0 dllstx5
name 66.98.235.0 ev1-noc
name 66.98.241.128 ev1-noc2
name 67.15.31.32 ev1-noc4
name 209.85.4.64 ev1-noc7
name 66.98.241.192 ev1-dc
name 216.40.228.128 ev1-webtech
name 66.98.240.192 hstntx2-ipalert
name 209.85.4.0 hstntx2-phase2
name 216.12.193.0 hstntx1
name 216.40.193.192 hstntx1-ipalert
dns-guard
!
interface Ethernet0/0
nameif outside
security-level 0
!
interface Ethernet0/1
nameif inside
security-level 100
!
interface Ethernet0/2
shutdown
no nameif
no security-level
!
interface Ethernet0/3
shutdown
no nameif
no security-level
!
interface Management0/0
shutdown
no nameif
no security-level
management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
object-group network theplanet_ips
network-object dllstx2 255.255.255.0
network-object dllstx5 255.255.255.0
network-object dllstx4 255.255.255.0
network-object ev1-noc 255.255.255.0
network-object ev1-noc2 255.255.255.192
network-object hstntx2-ipalert 255.255.255.192
network-object ev1-noc4 255.255.255.224
network-object hstntx1-ipalert 255.255.255.192
network-object hstntx2-phase2 255.255.255.192
network-object ev1-noc7 255.255.255.224
network-object ev1-dc 255.255.255.224
network-object ev1-webtech 255.255.255.128
network-object hstntx1 255.255.255.240
network-object hstntx1-ipalert 255.255.255.224
access-list 101 extended permit ip any any
access-list 101 extended permit icmp any any
access-list 101 extended permit ip object-group theplanet_ips any
pager lines 24
mtu outside 1500
mtu inside 1500
ip address x.x.x.x 255.255.255.x
no failover
asdm image disk0:/asdm506.bin
no asdm history enable
arp timeout 14400
access-group 101 in interface outside
route outside 0.0.0.0 0.0.0.0 x.x.x.x 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00
timeout mgcp-pat 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (outside) host 12.96.160.120
timeout 5
key kn0ck!
aaa-server TACACS+ (outside) host 12.96.160.121
timeout 5
key kn0ck!
aaa authentication http console TACACS+
aaa authentication telnet console TACACS+
aaa authentication ssh console TACACS+
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh 0.0.0.0 0.0.0.0 outside
ssh timeout 5
console timeout 0
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map global_policy
class inspection_default
inspect dns maximum-length 512
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
!
service-policy global_policy global
ciscoasa#

 

 

  • That's it. Now we can put the firewall in-line between the router and the host(s)