4-8
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter4 Configuring the Transparent or Routed Firewall
Configuring the Firewall Mode
Setting the Firewall Mode
This section describes how to change the firewall mode.
Note We recommend that you set the firewall mode before you perform any other configuration because
changing the firewall mode clears the running configuration.
Prerequisites
When you change modes, the ASA clears the running configuration (see the “Guidelines and
Limitations” section on page4-6 for more information).
If you already have a populated configuration, be sure to back up your configuration before changing
the mode; you can use this backup for reference when creating your new configuration. See the
“Backing Up Configuration Files or Other Files” section on page81-8.
Use the CLI at the console port to change the mode. If you use any other type of session, including
the ASDM Command Line Interface tool or SSH, you will be disconnected when the configuration
is cleared, and you will have to reconnect to the ASA using the console port in any case.
For the ASA 5500 series appiances, set the mode for the whole system in the system execution
space.
Table4-1 Unsupported Features in Transparent Mode
Feature Description
Dynamic DNS
DHCP relay The transparent firewall can act as a DHCP server, but it does not
support the DHCP relay commands. DHCP relay is not required
because you can allow DHCP traffic to pass through using two
extended access lists: one that allows DCHP requests from the inside
interface to the outside, and one that allows the replies from the server
in the other direction.
Dynamic routing protocols You can, however, add static routes for traffic originating on the ASA.
You can also allow dynamic routing protocols through the ASA using
an extended access list.
Multicast IP routing You can allow multicast traffic through the ASA by allowing it in an
extended access list.
QoS —
VPN termination for through
traffic
The transparent firewall supports site-to-site VPN tunnels for
management connections only. It does not terminate VPN connections
for traffic through the ASA. You can pass VPN traffic through the
ASA using an extended access list, but it does not terminate
non-management connections. SSL VPN is also not supported.