4-7
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter4 Configuring the Transparent or Routed Firewall
Configuring the Firewall Mode
When you change modes, the ASA clears the running configuration because many commands are
not supported for both modes. This action removes any contexts from running. If you then re-add a
context that has an existing configuration that was created for the wrong mode, the context
configuration might not work correctly. Be sure to recreate your context configurations for the
correct mode before you re-add them, or add new contexts with new paths for the new
configurations.
Transparent Firewall Guidelines
Follow these guidelines when planning your transparent firewall network:
In transparent firewall mode, the management interface updates the MAC address table in the same
manner as a data interface; therefore you should not connect both a management and a data interface
to the same switch unless you configure one of the switch ports as a routed port (by default Cisco
Catalyst switches share a MAC address for all VLAN switch ports). Otherwise, if traffic arrives on
the management interface from the physically-connected switch, then the ASA updates the
MACaddress table to use the man agement interface to access the switch, instead of the data
interface. This action causes a temporary traffic interruption; the ASA will not re-update the MAC
address table for packets from the switch to the data interface for at least 30 seconds for security
reasons.
Each directly-connected network must be on the same subnet.
Do not specify the bridge group management IP address as the default gateway for connected
devices; devices need to specify the router on the other side of the ASA as the default gateway.
The default route for the transparent firewall, which is required to provide a return path for
management traffic, is only applied to management traffic from one bridge group network. This is
because the default route specifies an interface in the bridge group as well as the router IP address
on the bridge group network, and you can only define one default route. If you have management
traffic from more than one bridge group network, you need to specify a static route that identifies
the network from which you expect management traffic.
See the “Guidelines and Limitations” section on page9-5 for more guidelines.
IPv6 Guidelines
Supports IPv6.
Additional Guidelines and Limitations
When you change firewall modes, the ASA clears the running configuration because many
commands are not supported for both modes. The startup configuration remains unchanged. If you
reload without saving, then the startup configuration is loaded, and the mode reverts back to the
original setting. See the “Setting the Firewall Mode” section on page4-8 for information about
backing up your configuration file.
If you download a text configuration to the ASA that changes the mode with the
firewalltransparent command, be sure to put the command at the top of the configuration; the ASA
changes the mode as soon as it reads the command and then continues reading the configuration you
downloaded. If the command appears later in the configuration, the ASA clears all the preceding
lines in the configuration. See the “Downloading Software or Configuration Files to Flash Memory”
section on page 81-2 for information about downloading text files.
Unsupported Features in Transparent Mode
Table 4 -1 lists the features are not supported in transparent mode.