© 2006 Cisco Systems, Inc. All rights reserved.

Network Security 2

Module 8 – PIX Security Appliance Contexts, Failover, and Management

© 2006 Cisco Systems, Inc. All rights reserved.

Lesson 8.3 Configure Transparent Firewall Mode

Module 8 – PIX Security Appliance Contexts, Failover, and Management

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-3

Transparent Firewall Mode Overview

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-4

Transparent vs. Routed Firewall

The security appliance can run in two firewall settings: Routed: Based on IP address

Transparent: Based on MAC address

VLAN 10010.0.1.0

VLAN 20010.0.1.0

Transparent Mode

10.0.1.0VLAN 100

10.0.2.0VLAN 200

Routed Mode

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-5

Transparent Firewall Benefits

Easily integrated and maintained in the existing network: IP readdressing not necessary

No NAT to configure

No IP routing to troubleshoot

VLAN 10010.0.1.0

VLAN 20010.0.1.0

Transparent Mode

Layer 2 Device

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-6

Transparent Firewall Guidelines

Layer 3 traffic must be explicitly permitted. Each directly connected network must be

on the same subnet. A management IP address is required for

each context, even if you do not intend to use Telnet to the context.

The management IP address must be on the same subnet as the connected network.

Do not specify the security appliance management IP address as the default gateway for connected devices.

– Devices need to specify the router on the other side of the security appliance as the default gateway.

Each interface must be a different VLAN interface.

VLAN 10010.0.1.0

VLAN 20010.0.1.0

Transparent Mode

Management IP Address10.0.1.1

10.0.1.10

IP–10.0.1.3Gateway – 10.0.1.10

IP–10.0.1.4Gateway – 10.0.1.10

Internet

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-7

Transparent Firewall Unsupported Features

The following features are not supported in transparent firewall mode:

NAT

Dynamic routing protocols

IPv6

DHCP relay

QoS

Multicast

VPN termination for through traffic

VLAN 10010.0.1.0

VLAN 20010.0.1.0

Transparent Mode

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-8

Enabling Transparent Firewall Mode

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-9

Viewing the Current Firewall Mode

show firewall

ciscoasa#

Shows the current firewall mode

asa1# show firewall

Firewall mode: Transparent

VLAN 10010.0.1.0

VLAN 20010.0.1.0

Transparent Mode

10.0.1.0VLAN 100

10.0.2.0VLAN 200

Routed Mode

?

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-10

Enabling Transparent Firewall Mode vs. Routed Mode

Changes the mode to transparent

Requires use of the no firewall transparent command to return to routed mode

firewall transparent

ciscoasa(config)#

asa1(config)# firewall transparent

Switched to transparent mode

VLAN 10010.0.1.0

VLAN 20010.0.1.0

Transparent Mode

10.0.1.0VLAN 100

10.0.2.0VLAN 200

Routed Mode

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-11

Assigning the Management IP Address

Sets the IP address for an interface (in routed mode) or for the management address (transparent mode).

For routed mode, enter this command in interface configuration mode.

In transparent mode, enter this command in global configuration mode.

ip address ip_address [mask] [standby ip_address]

ciscoasa(config)#

asa1(config)# ip address 10.0.1.1 255.255.255.0

asa1(config)# show ip address

Management System IP Address:

ip address 10.0.1.1 255.255.255.0

Management Current IP Address:

ip address 10.0.1.1 255.255.255.0

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-12

Configure ACLs

Determines which traffic should be allowed through the firewall

access-list id [line line-number] [extended] {deny | permit} {protocol | object-group protocol_obj_grp_id}{host sip | sip smask | interface ifc_name | object-group network_obj_grp_id | any} [operator port [port] | object-group service_obj_grp_id] {host dip | dip dmask | interface ifc_name | object-group network_obj_grp_id | any} [operator port [port] | object-group service_obj_grp_id | object-group icmp_type_obj_group_id] [log [[level] [interval secs] | disable | default]] [inactive | time-range time_range_name]

ciscoasa(config)#

asa1(config)# access-list ACLIN permit icmp 10.0.1.0 255.255.255.0 10.0.1.0 255.255.255.0asa1(config)# access-group ACLIN in interface insideasa1(config)# access-group ACLIN in interface outside

10.0.1.11 10.0.1.2

VLAN 10010.0.1.0

VLAN 20010.0.1.0

Security levels are supported in transparent mode; therefore, traffic from a higher security level interface to a lower security level interface will pass without an ACL, just as it does in routed mode.

Internet

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-13

Ethertype ACLS

Treatment of non-IP packets: The transparent firewall introduces a new type of ACL: the Ethertype ACL. With Ethertype ACLs, an administrator can allow specific non-IP packets

through the firewall.

access-list id ethertype {deny | permit} {ipx | bpdu | mpls-unicast | mpls-multicast | any | hex_number}

ciscoasa(config)#

asa1(config)# access-list ETHER ethertype permit ipx

asa1(config)# access-group ETHER in interface inside

asa1(config)# access-group ETHER in interface outside

VLAN 10010.0.1.0

VLAN 20010.0.1.0

IPX Traffic

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-14

ARP inspection checks all ARP packets against static ARP entries and blocks mismatched packets.

This feature prevents ARP spoofing.

arp-inspection interface_name enable [flood | no-flood]

ciscoasa(config)#

asa1(config)# arp-inspection outside enable

arp inspection enabled on outside

arp interface_name ip_address mac_address [alias]

ciscoasa(config)#

asa1(config)# arp outside 10.0.1.1 0009.7cbe.2100

A static ARP entry maps a MAC address to an IP address and identifies the interface through which the host is reached.

ARP Inspection

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-15

Monitoring and Maintaining Transparent Firewall Mode

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-16

MAC Address Table

The MAC address table is used to find the outgoing interface based on the destination MAC address. Built dynamically; contents learned from source MAC addresses

No flooding if MAC address not found

VLAN 10010.0.1.0

VLAN 20010.0.1.0

Interface MAC Address Type Time Left--------------------------------------------------------outside 0009.7cbe.2100 dynamic 10 -inside 0010.7cbe.6101 dynamic 10 -

0009.7cbe.21000010.7cbe.6101

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-17

Disabling MAC Address Learning

mac-learn interface_name disable

ciscoasa(config)#

Disables MAC address learning for an interface

(To re-enable MAC address learning, use the no form of this command.

By default, each interface automatically learns the MAC addresses of entering traffic, and the security appliance adds corresponding entries to the MAC address table.)

asa1(config)# mac-learn outside disableDisabling learning on outside

VLAN 10010.0.1.0

VLAN 20010.0.1.0

Interface MAC Address Type Time Left--------------------------------------------------------outside 0009.7cbe.2100 dynamic 10 -inside 0010.7cbe.6101 dynamic 10 -

0009.7cbe.21000010.7cbe.6101

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-18

Adding a Static MAC Address

mac-address-table static interface_name mac_address

ciscoasa(config)#

Adds a static entry to the MAC address table

Guards against MAC spoofing

(Normally, MAC addresses are added to the MAC address table dynamically as traffic from a particular MAC address enters an interface. )

asa1(config)# mac-address-table static inside 0010.7cbe.6101

Added <0010.7cbe.6101> to the bridge table

VLAN 10010.0.1.0

VLAN 20010.0.1.0

0009.7cbe.21000010.7cbe.6101Interface MAC Address Type Time Left--------------------------------------------------------outside 0009.7cbe.2100 static -inside 0010.7cbe.6101 static -

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-19

Viewing the MAC Address Table

Displays the MAC address table

show mac-address-table [interface_name | count | static]ciscoasa#

asa1# show mac-address-table

interface mac address type Age(min)

------------------------------------------------------------

inside 0010.7cbe.6101 static

inside 0008.e3bc.5ee0 dynamic 5

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-20

asa1# debug arp-inspection

asa1# debug mac-address-table

debug Commands

Debug Support debug arp-inspection: To the track code path of ARP forwarding

and ARP inspection module in transparent firewall

debug mac-address-table: To track the insertions, deletions, or updates to the bridge table that is maintained for the transparent firewall.

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-21

Summary

A transparent firewall is a Layer 2 firewall that acts like a “bump in the wire” or a “stealth firewall” and is not seen as a router hop to connected devices.

The security appliance connects the same network on its inside and outside ports but uses different VLANs on the inside and outside.

Layer 2 monitoring and maintenance is performed by customizing the MAC address table.

© 2007 Cisco Systems, Inc. All rights reserved. SNPA v5.0—16-22