1. © 2006 Cisco Systems, Inc. All rights reserved. Network Security 2 Module 8 – PIX Security Appliance Contexts, Failover, and Management

2. © 2006 Cisco Systems, Inc. All rights reserved. Lesson 8.3 Configure Transparent Firewall Mode Module 8 – PIX Security Appliance Contexts, Failover, and Management

3. © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-3 Transparent Firewall Mode Overview

4. © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-4 Transparent vs. Routed Firewall The security appliance can run in two firewall settings:  Routed: Based on IP address  Transparent: Based on MAC address VLAN 100 10.0.1.0 VLAN 200 10.0.1.0 Transparent Mode 10.0.1.0 VLAN 100 10.0.2.0 VLAN 200 Routed Mode

5. © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-5 Transparent Firewall Benefits Easily integrated and maintained in the existing network:  IP readdressing not necessary  No NAT to configure  No IP routing to troubleshoot VLAN 100 10.0.1.0 VLAN 200 10.0.1.0 Transparent Mode Layer 2 Device

6. © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-6 Transparent Firewall Guidelines  Layer 3 traffic must be explicitly permitted.  Each directly connected network must be on the same subnet.  A management IP address is required for each context, even if you do not intend to use Telnet to the context.  The management IP address must be on the same subnet as the connected network.  Do not specify the security appliance management IP address as the default gateway for connected devices. –Devices need to specify the router on the other side of the security appliance as the default gateway.  Each interface must be a different VLAN interface. VLAN 100 10.0.1.0 VLAN 200 10.0.1.0 Transparent Mode Management IP Address 10.0.1.1 10.0.1.10 IP–10.0.1.3 Gateway – 10.0.1.10 IP–10.0.1.4 Gateway – 10.0.1.10 Internet

7. © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-7 Transparent Firewall Unsupported Features The following features are not supported in transparent firewall mode:  NAT  Dynamic routing protocols  IPv6  DHCP relay  QoS  Multicast  VPN termination for through traffic VLAN 100 10.0.1.0 VLAN 200 10.0.1.0 Transparent Mode

8. © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-8 Enabling Transparent Firewall Mode

9. © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-9 Viewing the Current Firewall Mode show firewall ciscoasa#  Shows the current firewall mode asa1# show firewall Firewall mode: Transparent VLAN 100 10.0.1.0 VLAN 200 10.0.1.0 Transparent Mode 10.0.1.0 VLAN 100 10.0.2.0 VLAN 200 Routed Mode ?

10. © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-10 Enabling Transparent Firewall Mode vs. Routed Mode  Changes the mode to transparent  Requires use of the no firewall transparent command to return to routed mode firewall transparent ciscoasa(config)# asa1(config)# firewall transparent Switched to transparent mode VLAN 100 10.0.1.0 VLAN 200 10.0.1.0 Transparent Mode 10.0.1.0 VLAN 100 10.0.2.0 VLAN 200 Routed Mode

11. © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-11 Assigning the Management IP Address  Sets the IP address for an interface (in routed mode) or for the management address (transparent mode).  For routed mode, enter this command in interface configuration mode.  In transparent mode, enter this command in global configuration mode. ip address ip_address [mask] [standby ip_address] ciscoasa(config)# asa1(config)# ip address 10.0.1.1 255.255.255.0 asa1(config)# show ip address Management System IP Address: ip address 10.0.1.1 255.255.255.0 Management Current IP Address: ip address 10.0.1.1 255.255.255.0

12. © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-12 Configure ACLs  Determines which traffic should be allowed through the firewall access-list id [line line-number] [extended] {deny | permit} {protocol | object-group protocol_obj_grp_id}{host sip | sip smask | interface ifc_name | object-group network_obj_grp_id | any} [operator port [port] | object-group service_obj_grp_id] {host dip | dip dmask | interface ifc_name | object-group network_obj_grp_id | any} [operator port [port] | object-group service_obj_grp_id | object-group icmp_type_obj_group_id] [log [[level] [interval secs] | disable | default]] [inactive | time- range time_range_name] ciscoasa(config)# asa1(config)# access-list ACLIN permit icmp 10.0.1.0 255.255.255.0 10.0.1.0 255.255.255.0 asa1(config)# access-group ACLIN in interface inside asa1(config)# access-group ACLIN in interface outside 10.0.1.11 10.0.1.2 VLAN 100 10.0.1.0 VLAN 200 10.0.1.0 Security levels are supported in transparent mode; therefore, traffic from a higher security level interface to a lower security level interface will pass without an ACL, just as it does in routed mode. Internet

13. © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-13 Ethertype ACLS Treatment of non-IP packets:  The transparent firewall introduces a new type of ACL: the Ethertype ACL.  With Ethertype ACLs, an administrator can allow specific non-IP packets through the firewall. access-list id ethertype {deny | permit} {ipx | bpdu | mpls-unicast | mpls-multicast | any | hex_number} ciscoasa(config)# asa1(config)# access-list ETHER ethertype permit ipx asa1(config)# access-group ETHER in interface inside asa1(config)# access-group ETHER in interface outside VLAN 100 10.0.1.0 VLAN 200 10.0.1.0 IPX Traffic

14. © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-14  ARP inspection checks all ARP packets against static ARP entries and blocks mismatched packets.  This feature prevents ARP spoofing. arp-inspection interface_name enable [flood | no-flood] ciscoasa(config)# asa1(config)# arp-inspection outside enable arp inspection enabled on outside arp interface_name ip_address mac_address [alias] ciscoasa(config)# asa1(config)# arp outside 10.0.1.1 0009.7cbe.2100  A static ARP entry maps a MAC address to an IP address and identifies the interface through which the host is reached. ARP Inspection

15. © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-15 Monitoring and Maintaining Transparent Firewall Mode

16. © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-16 MAC Address Table The MAC address table is used to find the outgoing interface based on the destination MAC address.  Built dynamically; contents learned from source MAC addresses  No flooding if MAC address not found VLAN 100 10.0.1.0 VLAN 200 10.0.1.0 Interface MAC Address Type Time Left -------------------------------------------------------- outside 0009.7cbe.2100 dynamic 10 - inside 0010.7cbe.6101 dynamic 10 - 0009.7cbe.21000010.7cbe.6101

17. © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-17 Disabling MAC Address Learning mac-learn interface_name disable ciscoasa(config)#  Disables MAC address learning for an interface (To re-enable MAC address learning, use the no form of this command. By default, each interface automatically learns the MAC addresses of entering traffic, and the security appliance adds corresponding entries to the MAC address table.) asa1(config)# mac-learn outside disable Disabling learning on outside VLAN 100 10.0.1.0 VLAN 200 10.0.1.0 Interface MAC Address Type Time Left -------------------------------------------------------- outside 0009.7cbe.2100 dynamic 10 - inside 0010.7cbe.6101 dynamic 10 - 0009.7cbe.21000010.7cbe.6101

18. © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-18 Adding a Static MAC Address mac-address-table static interface_name mac_address ciscoasa(config)#  Adds a static entry to the MAC address table  Guards against MAC spoofing (Normally, MAC addresses are added to the MAC address table dynamically as traffic from a particular MAC address enters an interface. ) asa1(config)# mac-address-table static inside 0010.7cbe.6101 Added to the bridge table VLAN 100 10.0.1.0 VLAN 200 10.0.1.0 0009.7cbe.21000010.7cbe.6101 Interface MAC Address Type Time Left -------------------------------------------------------- outside 0009.7cbe.2100 static - inside 0010.7cbe.6101 static -

19. © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-19 Viewing the MAC Address Table  Displays the MAC address table show mac-address-table [interface_name | count | static] ciscoasa# asa1# show mac-address-table interface mac address type Age(min) ---------------------------------------------------------- -- inside 0010.7cbe.6101 static inside 0008.e3bc.5ee0 dynamic 5

20. © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-20 asa1# debug arp-inspection asa1# debug mac-address-table debug Commands Debug Support  debug arp-inspection: To the track code path of ARP forwarding and ARP inspection module in transparent firewall  debug mac-address-table: To track the insertions, deletions, or updates to the bridge table that is maintained for the transparent firewall.

21. © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-21 Summary  A transparent firewall is a Layer 2 firewall that acts like a “bump in the wire” or a “stealth firewall” and is not seen as a router hop to connected devices.  The security appliance connects the same network on its inside and outside ports but uses different VLANs on the inside and outside.  Layer 2 monitoring and maintenance is performed by customizing the MAC address table.

22. © 2007 Cisco Systems, Inc. All rights reserved.SNPA v5.0—16-22