22-3
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 22 Managing Transparent Firewall Rules
Transparent Rules Page
If you want to create a single rule to apply to a group of EtherTypes, convert the EtherTypes to binary
and calculate an appropriate mask where 1 means to interpret the EtherType literally, and 0 means
that any value should be allowed in the position. You must then convert your mask into hexadecimal.
Click OK when you are finished defining your rule.
Step 4 If you did not select the right row before adding the rule, select the new rule and use the up and down
arrow buttons to position the rule appropriately. For more information, see Moving Rules and the
Importance of Rule Order, page 12-19.
Step 5 (IOS devices only) If you are configuring transparent rules on an IOS device, you can forward DHCP
traffic across the bridge without inspection. To configure this, select the Firewall > Settings >
Inspection policy and select the Permit DHCP Passthrough (Transparent Firewall) option. This
setting is not supported on all IOS versions, so carefully inspect validation results to see if it will be
configured on your device.
Transparent Rules Page
Use the Transparent Rules page to control access for non-IP layer-2 traffic. (To control IP traffic access,
use access rules; see Understanding Access Rules, page 16-1.)
Transparent rules are limited to transparent firewalls, which are ASA, PIX 7.0+, and FWSM devices
running in transparent mode, or layer-3 interfaces that are part of a bridge group on IOS 12.3(7)T+
devices. When deployed, transparent rules become Ethertype access control lists.
Configure the same rules on all bridged interfaces to allow traffic to pass both ways through the device.
For more detailed information about configuring transparent firewalls and the device requirements for
deploying these rules, see Configuring Transparent Firewall Rules, page 22-1.
Tip Disabled rules are shown with hash marks covering the table row. When you deploy the configuration,
disabled rules are removed from the device. For more information, see Enabling and Disabling Rules,
page 12-20.
Navigation Path
To access Transparent Rules, do one of the following:
(Device view) Select Firewall > Transparent Rules from the Policy selector for a supported device
type.
(Policy view) Select Firewall > Transparent Rules from the Policy Type selector. Select an
existing policy or create a new one.
(Map view) Right-click a device and select Edit Firewall Policies > Transparent Rules.
Related Topics
Interfaces in Routed and Transparent Modes, page 45-4.
Chapter 46, “Configuring Bridging Policies on Firewall Devices”
Bridging on Cisco IOS Routers, page 60-18
Defining Bridge Groups, page 60-19
Bridge-Group Virtual Interfaces, page 60-18