Transparent or Routed Firewall Mode

Transparent or Routed Firewall Mode
Transparent or Routed Firewall Mode
This chapter describes how to set the firewall mode to routed or transparent, as well as how the firewall
works in each firewall mode.
You can set the firewall mode independently for each context in multiple context mode.
• About the Firewall Mode, page 1
• Default Settings, page 7
• Guidelines for Firewall Mode, page 7
• Set the Firewall Mode, page 8
• Examples for Firewall Mode, page 9
• History for the Firewall Mode, page 20
About the Firewall Mode
The ASA supports two firewall modes: Routed Firewall mode and Transparent Firewall mode.
About Routed Firewall Mode
In routed mode, the ASA is considered to be a router hop in the network. Each interface that you want to route
between is on a different subnet. You can share Layer 3 interfaces between contexts.
About Transparent Firewall Mode
Traditionally, a firewall is a routed hop and acts as a default gateway for hosts that connect to one of its
screened subnets. A transparent firewall, on the other hand, is a Layer 2 firewall that acts like a “bump in the
wire,” or a “stealth firewall,” and is not seen as a router hop to connected devices. However, like any other
firewall, access control between interfaces is controlled, and all of the usual firewall checks are in place.
Layer 2 connectivity is achieved by using a "bridge group" where you group together the inside and outside
interfaces for a network, and the ASA uses bridging techniques to pass traffic between the interfaces. Each
bridge group includes a Bridge Virtual Interface (BVI) to which you assign an IP address on the network.
CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
1
Transparent or Routed Firewall Mode
About Transparent Firewall Mode
You can have multiple bridge groups for multiple networks. In transparent mode, these bridge groups cannot
communicate with each other.
Using the Transparent Firewall in Your Network
The ASA connects the same network between its interfaces. Because the firewall is not a routed hop, you can
easily introduce a transparent firewall into an existing network.
The following figure shows a typical transparent firewall network where the outside devices are on the same
subnet as the inside devices. The inside router and hosts appear to be directly connected to the outside router.
Figure 1: Transparent Firewall Network
About Bridge Groups
A bridge group is a group of interfaces that the ASA bridges instead of routes. Bridge groups are only supported
in Transparent Firewall Mode. Like any other firewall interfaces, access control between interfaces is controlled,
and all of the usual firewall checks are in place.
Bridge Virtual Interface (BVI)
Each bridge group includes a Bridge Virtual Interface (BVI). The ASA uses the BVI IP address as the source
address for packets originating from the bridge group. The BVI IP address must be on the same subnet as the
bridge group member interfaces. The BVI does not support traffic on secondary networks; only traffic on the
same network as the BVI IP address is supported.
Only bridge group member interfaces are named and can be used with interface-based features.
CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
2
Transparent or Routed Firewall Mode
About Transparent Firewall Mode
Bridge Groups in Transparent Firewall Mode
Bridge group traffic is isolated from other bridge groups; traffic is not routed to another bridge group within
the ASA, and traffic must exit the ASA before it is routed by an external router back to another bridge group
in the ASA. Although the bridging functions are separate for each bridge group, many other functions are
shared between all bridge groups. For example, all bridge groups share a syslog server or AAA server
configuration. For complete security policy separation, use security contexts with one bridge group in each
context.
You can include multiple interfaces per bridge group. See Guidelines for Firewall Mode, on page 7 for the
exact number of bridge groups and interfaces supported. If you use more than 2 interfaces per bridge group,
you can control communication between multiple segments on the same network, and not just between inside
and outside. For example, if you have three inside segments that you do not want to communicate with each
other, you can put each segment on a separate interface, and only allow them to communicate with the outside
interface. Or you can customize the access rules between interfaces to allow only as much access as desired.
The following figure shows two networks connected to the ASA, which has two bridge groups.
Figure 2: Transparent Firewall Network with Two Bridge Groups
Management Interface
In addition to each Bridge Virtual Interface (BVI) IP address, you can add a separate Management slot/port
interface that is not part of any bridge group, and that allows only management traffic to the ASA. For more
information, see Management Interface.
Allowing Layer 3 Traffic
• Unicast IPv4 and IPv6 traffic is allowed through the bridge group automatically from a higher security
interface to a lower security interface, without an access rule.
CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
3
Transparent or Routed Firewall Mode
About Transparent Firewall Mode
• For Layer 3 traffic traveling from a low to a high security interface, an access rule is required on the
low security interface.
• ARPs are allowed through the bridge group in both directions without an access rule. ARP traffic can
be controlled by ARP inspection.
• IPv6 neighbor discovery and router solicitation packets can be passed using access rules.
• Broadcast and multicast traffic can be passed using access rules.
Allowed MAC Addresses
The following destination MAC addresses are allowed through the bridge group if allowed by your access
policy (see Allowing Layer 3 Traffic, on page 3). Any MAC address not on this list is dropped.
• TRUE broadcast destination MAC address equal to FFFF.FFFF.FFFF
• IPv4 multicast MAC addresses from 0100.5E00.0000 to 0100.5EFE.FFFF
• IPv6 multicast MAC addresses from 3333.0000.0000 to 3333.FFFF.FFFF
• BPDU multicast address equal to 0100.0CCC.CCCD
• AppleTalk multicast MAC addresses from 0900.0700.0000 to 0900.07FF.FFFF
Passing Traffic Not Allowed in Routed Mode
In routed mode, some types of traffic cannot pass through the ASA even if you allow it in an access rule. The
bridge group, however, can allow almost any traffic through using either an access rule (for IP traffic) or an
EtherType rule (for non-IP traffic):
• IP traffic—In routed firewall mode, broadcast and multicast traffic is blocked even if you allow it in an
access rule, including unsupported dynamic routing protocols and DHCP (unless you configure DHCP
relay). Within a bridge group, you can allow this traffic with an access rule (using an extended ACL).
• Non-IP traffic—AppleTalk, IPX, BPDUs, and MPLS, for example, can be configured to go through
using an EtherType rule.
Note
The bridge group does not pass CDP packets packets, or any packets that do not have a valid EtherType
greater than or equal to 0x600. An exception is made for BPDUs and IS-IS, which are supported.
BPDU Handling
To prevent loops using the Spanning Tree Protocol, BPDUs are passed by default.To block BPDUs, you need
to configure an EtherType rule to deny them. If you are using failover, you might want to block BPDUs to
prevent the switch port from going into a blocking state when the topology changes. See Transparent Firewall
Mode Bridge Group Requirements for Failover for more information.
CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
4
Transparent or Routed Firewall Mode
About Transparent Firewall Mode
MAC Address vs. Route Lookups
For traffic within a bridge group, the outgoing interface of a packet is determined by performing a destination
MAC address lookup instead of a route lookup.
Route lookups, however, are necessary for the following traffic types:
• Traffic originating on the ASA—For example, if your syslog server is located on a remote network, you
must use a default/static route so that the ASA can reach that subnet.
• Traffic that is at least one hop away from the ASA, and the ASA performs NAT—If the ASA performs
NAT on a packet that enters a bridge group interface, but the packet is from a remote network, then you
need to configure a static route on the ASA for that network.
Figure 3: NAT Example: NAT within a Bridge Group
1 When the inside host at 10.1.1.75 sends a packet to a web server, the real source address of the packet,
10.1.1.75, is changed to a mapped address, 209.165.201.15.
2 When the server responds, it sends the response to the mapped address, 209.165.201.15, and the
ASA receives the packet because the upstream router includes this mapped network in a static route
directed to the ASA management IP address.
3 The ASA then undoes the translation of the mapped address, 209.165.201.15, back to the real address,
10.1.1.1.75. Because the real address is directly-connected, the ASA sends it directly to the host.
CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
5
Transparent or Routed Firewall Mode
About Transparent Firewall Mode
4 For host 192.168.1.2, the same process occurs, except for returning traffic, the ASA looks up the
route in its routing table and sends the packet to the downstream router at 10.1.1.3 based on the ASA
static route for 192.168.1.0/24.
• Voice over IP (VoIP) and DNS traffic with inspection enabled, and the endpoint is at least one hop away
from the ASA—For example, if you have the CCM on one bridge group member interface, and a router
and then an H.323 gateway on a different bridge group member interface, then you need to add a static
route on the ASA for the router that is the H.323 gateway for successful call completion. If you enable
NAT for the inspected traffic, a static route is required to determine the egress interface for the real host
address that is embedded in the packet. Affected applications include:
◦CTIQBE
◦DNS
◦GTP
◦H.323
◦MGCP
◦RTSP
◦SIP
◦Skinny (SCCP)
◦SunRPC
◦TFTP
Unsupported Features for Bridge Groups in Transparent Mode
The following table lists the features are not supported in bridge groups in transparent mode.
Table 1: Unsupported Features in Transparent Mode
Feature
Description
Dynamic DNS
—
DHCPv6 stateless server
Only the DHCPv4 server is supported on bridge group member interfaces.
DHCP relay
The transparent firewall can act as a DHCPv4 server, but it does not
support DHCP relay. DHCP relay is not required because you can allow
DHCP traffic to pass through using two access rules: one that allows
DCHP requests from the inside interface to the outside, and one that allows
the replies from the server in the other direction.
Dynamic routing protocols
You can, however, add static routes for traffic originating on the ASA for
bridge group member interfaces. You can also allow dynamic routing
protocols through the ASA using an access rule.
CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
6
Transparent or Routed Firewall Mode
Default Settings
Feature
Description
Multicast IP routing
You can allow multicast traffic through the ASA by allowing it in an
access rule.
QoS
—
VPN termination for through
traffic
The transparent firewall supports site-to-site VPN tunnels for management
connections only on bridge group member interfaces. It does not terminate
VPN connections for traffic through the ASA. You can pass VPN traffic
through the ASA using an access rule, but it does not terminate
non-management connections. Clientless SSL VPN is also not supported.
Unified Communications
—
Passing Traffic For Routed-Mode Features
For features that are not directly supported on the transparent firewall, you can allow traffic to pass through
so that upstream and downstream routers can support the functionality. For example, by using an access rule,
you can allow DHCP traffic (instead of the unsupported DHCP relay feature) or multicast traffic such as that
created by IP/TV. You can also establish routing protocol adjacencies through a transparent firewall; you can
allow OSPF, RIP, EIGRP, or BGP traffic through based on an access rule. Likewise, protocols like HSRP or
VRRP can pass through the ASA.
Default Settings
Default Mode
The default mode is routed mode.
Bridge Group Defaults
By default, all ARP packets are passed within the bridge group.
Guidelines for Firewall Mode
Context Mode Guidelines
Set the firewall mode per context.
Bridge Group Guidelines (Transparent Mode)
• You can create up to 250 bridge groups, with 64 interfaces per bridge group.
• Each directly-connected network must be on the same subnet.
CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
7
Transparent or Routed Firewall Mode
Set the Firewall Mode
• The ASA does not support traffic on secondary networks; only traffic on the same network as the BVI
IP address is supported.
• For IPv4, an IP address for the BVI is required for each bridge group for both management traffic and
for traffic to pass through the ASA. IPv6 addresses are supported, but not required for the BVI.
• You can only configure IPv6 addresses manually.
• The BVI IP address must be on the same subnet as the connected network. You cannot set the subnet
to a host subnet (255.255.255.255).
• Management interfaces are not supported as bridge group members.
• In transparent mode, you must use at least 1 bridge group; data interfaces must belong to a bridge group.
• In transparent mode, do not specify the BVI IP address as the default gateway for connected devices;
devices need to specify the router on the other side of the ASA as the default gateway.
• In transparent mode, the default route, which is required to provide a return path for management traffic,
is only applied to management traffic from one bridge group network. This is because the default route
specifies an interface in the bridge group as well as the router IP address on the bridge group network,
and you can only define one default route. If you have management traffic from more than one bridge
group network, you need to specify a regular static route that identifies the network from which you
expect management traffic.
• In transparent mode, PPPoE is not supported for the Management interface.
Additional Guidelines and Limitations
• When you change firewall modes, the ASA clears the running configuration because many commands
are not supported for both modes. The startup configuration remains unchanged. If you reload without
saving, then the startup configuration is loaded, and the mode reverts back to the original setting. See
Set the Firewall Mode, on page 8 for information about backing up your configuration file.
• If you download a text configuration to the ASA that changes the mode with the firewall transparent
command, be sure to put the command at the top of the configuration; the ASA changes the mode as
soon as it reads the command and then continues reading the configuration you downloaded. If the
command appears later in the configuration, the ASA clears all the preceding lines in the configuration.
See Set the ASA Image, ASDM, and Startup Configuration for information about downloading text
files.
Set the Firewall Mode
This section describes how to change the firewall mode.
Note
We recommend that you set the firewall mode before you perform any other configuration because changing
the firewall mode clears the running configuration.
Before You Begin
When you change modes, the ASA clears the running configuration (see Guidelines for Firewall Mode, on
page 7 for more information).
CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
8
Transparent or Routed Firewall Mode
Examples for Firewall Mode
• If you already have a populated configuration, be sure to back up your configuration before changing
the mode; you can use this backup for reference when creating your new configuration. See Back Up
and Restore Configurations or Other Files.
• Use the CLI at the console port to change the mode. If you use any other type of session, including the
ASDM Command Line Interface tool or SSH, you will be disconnected when the configuration is cleared,
and you will have to reconnect to the ASA using the console port in any case.
• Set the mode within the context.
Note
To set the firewall mode to transparent and also configure ASDM management access after the configuration
is cleared, see Configure ASDM Access.
Procedure
Set the firewall mode to transparent:
firewall transparent
Example:
ciscoasa(config)# firewall transparent
To change the mode to routed, enter the no firewall transparent command.
Note
You are not prompted to confirm the firewall mode change; the change occurs immediately.
Examples for Firewall Mode
This section includes examples of how traffic moves through the ASA in the routed and transparent firewall
mode.
How Data Moves Through the ASA in Routed Firewall Mode
The following sections describe how data moves through the ASA in routed firewall mode in multiple scenarios.
CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
9
Transparent or Routed Firewall Mode
How Data Moves Through the ASA in Routed Firewall Mode
An Inside User Visits a Web Server
The following figure shows an inside user accessing an outside web server.
Figure 4: Inside to Outside
The following steps describe how data moves through the ASA:
1 The user on the inside network requests a web page from www.example.com.
2 The ASA receives the packet and because it is a new session, it verifies that the packet is allowed according
to the terms of the security policy.
For multiple context mode, the ASA first classifies the packet to a context.
3 The ASA translates the real address (10.1.2.27) to the mapped address 209.165.201.10, which is on the
outside interface subnet.
The mapped address could be on any subnet, but routing is simplified when it is on the outside interface
subnet.
4 The ASA then records that a session is established and forwards the packet from the outside interface.
5 When www.example.com responds to the request, the packet goes through the ASA, and because the
session is already established, the packet bypasses the many lookups associated with a new connection.
The ASA performs NAT by untranslating the global destination address to the local user address, 10.1.2.27.
CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
10
Transparent or Routed Firewall Mode
How Data Moves Through the ASA in Routed Firewall Mode
6 The ASA forwards the packet to the inside user.
An Outside User Visits a Web Server on the DMZ
The following figure shows an outside user accessing the DMZ web server.
Figure 5: Outside to DMZ
The following steps describe how data moves through the ASA:
1 A user on the outside network requests a web page from the DMZ web server using the mapped address
of 209.165.201.3, which is on the outside interface subnet.
2 The ASA receives the packet and untranslates the mapped address to the real address 10.1.1.3.
3 Because it is a new session, the ASA verifies that the packet is allowed according to the terms of the
security policy.
For multiple context mode, the ASA first classifies the packet to a context.
4 The ASA then adds a session entry to the fast path and forwards the packet from the DMZ interface.
5 When the DMZ web server responds to the request, the packet goes through the ASA and because the
session is already established, the packet bypasses the many lookups associated with a new connection.
The ASA performs NAT by translating the real address to 209.165.201.3.
6 The ASA forwards the packet to the outside user.
CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
11
Transparent or Routed Firewall Mode
How Data Moves Through the ASA in Routed Firewall Mode
An Inside User Visits a Web Server on the DMZ
The following figure shows an inside user accessing the DMZ web server.
Figure 6: Inside to DMZ
The following steps describe how data moves through the ASA:
1 A user on the inside network requests a web page from the DMZ web server using the destination address
of 10.1.1.3.
2 The ASA receives the packet and because it is a new session, the ASA verifies that the packet is allowed
according to the terms of the security policy.
For multiple context mode, the ASA first classifies the packet to a context.
3 The ASA then records that a session is established and forwards the packet out of the DMZ interface.
4 When the DMZ web server responds to the request, the packet goes through the fast path, which lets the
packet bypass the many lookups associated with a new connection.
5 The ASA forwards the packet to the inside user.
CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
12
Transparent or Routed Firewall Mode
How Data Moves Through the ASA in Routed Firewall Mode
An Outside User Attempts to Access an Inside Host
The following figure shows an outside user attempting to access the inside network.
Figure 7: Outside to Inside
The following steps describe how data moves through the ASA:
1 A user on the outside network attempts to reach an inside host (assuming the host has a routable IP address).
If the inside network uses private addresses, no outside user can reach the inside network without NAT.
The outside user might attempt to reach an inside user by using an existing NAT session.
2 The ASA receives the packet and because it is a new session, it verifies if the packet is allowed according
to the security policy.
3 The packet is denied, and the ASA drops the packet and logs the connection attempt.
If the outside user is attempting to attack the inside network, the ASA employs many technologies to
determine if a packet is valid for an already established session.
CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
13
Transparent or Routed Firewall Mode
How Data Moves Through the ASA in Routed Firewall Mode
A DMZ User Attempts to Access an Inside Host
The following figure shows a user in the DMZ attempting to access the inside network.
Figure 8: DMZ to Inside
The following steps describe how data moves through the ASA:
1 A user on the DMZ network attempts to reach an inside host. Because the DMZ does not have to route
the traffic on the Internet, the private addressing scheme does not prevent routing.
2 The ASA receives the packet and because it is a new session, it verifies if the packet is allowed according
to the security policy.
The packet is denied, and the ASA drops the packet and logs the connection attempt.
CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
14
Transparent or Routed Firewall Mode
How Data Moves Through the Transparent Firewall
How Data Moves Through the Transparent Firewall
The following figure shows a typical transparent firewall implementation with an inside network that contains
a public web server. The ASA has an access rule so that the inside users can access Internet resources. Another
access rule lets the outside users access only the web server on the inside network.
Figure 9: Typical Transparent Firewall Data Path
The following sections describe how data moves through the ASA.
CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
15
Transparent or Routed Firewall Mode
How Data Moves Through the Transparent Firewall
An Inside User Visits a Web Server
The following figure shows an inside user accessing an outside web server.
Figure 10: Inside to Outside
The following steps describe how data moves through the ASA:
1 The user on the inside network requests a web page from www.example.com.
2 The ASA receives the packet and adds the source MAC address to the MAC address table, if required.
Because it is a new session, it verifies that the packet is allowed according to the terms of the security
policy.
For multiple context mode, the ASA first classifies the packet to a context.
3 The ASA records that a session is established.
4 If the destination MAC address is in its table, the ASA forwards the packet out of the outside interface.
The destination MAC address is that of the upstream router, 209.165.201.2.
If the destination MAC address is not in the ASA table, it attempts to discover the MAC address by sending
an ARP request or a ping. The first packet is dropped.
5 The web server responds to the request; because the session is already established, the packet bypasses
the many lookups associated with a new connection.
6 The ASA forwards the packet to the inside user.
CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
16
Transparent or Routed Firewall Mode
How Data Moves Through the Transparent Firewall
An Inside User Visits a Web Server Using NAT
The following figure shows an inside user accessing an outside web server.
Figure 11: Inside to Outside with NAT
The following steps describe how data moves through the ASA:
1 The user on the inside network requests a web page from www.example.com.
2 The ASA receives the packet and adds the source MAC address to the MAC address table, if required.
Because it is a new session, it verifies that the packet is allowed according to the terms of the security
policy.
For multiple context mode, the ASA first classifies the packet according to a unique interface.
3 The ASA translates the real address (10.1.2.27) to the mapped address 209.165.201.10.
Because the mapped address is not on the same network as the outside interface, then be sure the upstream
router has a static route to the mapped network that points to the ASA.
4 The ASA then records that a session is established and forwards the packet from the outside interface.
5 If the destination MAC address is in its table, the ASA forwards the packet out of the outside interface.
The destination MAC address is that of the upstream router, 10.1.2.1.
If the destination MAC address is not in the ASA table, then it attempts to discover the MAC address by
sending an ARP request and a ping. The first packet is dropped.
CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
17
Transparent or Routed Firewall Mode
How Data Moves Through the Transparent Firewall
6 The web server responds to the request; because the session is already established, the packet bypasses
the many lookups associated with a new connection.
7 The ASA performs NAT by untranslating the mapped address to the real address, 10.1.2.27.
An Outside User Visits a Web Server on the Inside Network
The following figure shows an outside user accessing the inside web server.
Figure 12: Outside to Inside
The following steps describe how data moves through the ASA:
1 A user on the outside network requests a web page from the inside web server.
2 The ASA receives the packet and adds the source MAC address to the MAC address table, if required.
Because it is a new session, it verifies that the packet is allowed according to the terms of the security
policy.
For multiple context mode, the ASA first classifies the packet to a context.
3 The ASA records that a session is established.
CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
18
Transparent or Routed Firewall Mode
How Data Moves Through the Transparent Firewall
4 If the destination MAC address is in its table, the ASA forwards the packet out of the inside interface. The
destination MAC address is that of the downstream router, 209.165.201.1.
If the destination MAC address is not in the ASA table, then it attempts to discover the MAC address by
sending an ARP request and a ping. The first packet is dropped.
5 The web server responds to the request; because the session is already established, the packet bypasses
the many lookups associated with a new connection.
6 The ASA forwards the packet to the outside user.
An Outside User Attempts to Access an Inside Host
The following figure shows an outside user attempting to access a host on the inside network.
Figure 13: Outside to Inside
The following steps describe how data moves through the ASA:
1 A user on the outside network attempts to reach an inside host.
2 The ASA receives the packet and adds the source MAC address to the MAC address table, if required.
Because it is a new session, it verifies if the packet is allowed according to the terms of the security policy.
For multiple context mode, the ASA first classifies the packet to a context.
3 The packet is denied because there is no access rule permitting the outside host, and the ASA drops the
packet.
CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
19
Transparent or Routed Firewall Mode
History for the Firewall Mode
4 If the outside user is attempting to attack the inside network, the ASA employs many technologies to
determine if a packet is valid for an already established session.
History for the Firewall Mode
Table 2: Feature History for Firewall Mode
Feature Name
Platform
Releases
Feature Information
Transparent Firewall Mode
7.0(1)
A transparent firewall is a Layer 2 firewall that acts like a “bump
in the wire,” or a “stealth firewall,” and is not seen as a router
hop to connected devices.
We introduced the following commands: firewall transparent,
show firewall.
Transparent firewall bridge groups
8.4(1)
If you do not want the overhead of security contexts, or want
to maximize your use of security contexts, you can group
interfaces together in a bridge group, and then configure
multiple bridge groups, one for each network. Bridge group
traffic is isolated from other bridge groups. You can configure
up to 8 bridge groups in single mode or per context in multiple
mode, with 4 interfaces maximum per bridge group.
Although you can configure multiple bridge groups
on the ASA 5505, the restriction of 2 data interfaces
in transparent mode on the ASA 5505 means you can
only effectively use 1 bridge group.
We introduced the following commands: interface bvi,
bridge-group, show bridge-group.
Note
Mixed firewall mode support in multiple context
mode
8.5(1)/9.0(1)
You can set the firewall mode independently for each security
context in multiple context mode, so some can run in transparent
mode while others run in routed mode.
We modified the following command: firewall transparent.
Transparent mode bridge group maximum
increased to 250
9.3(1)
The bridge group maximum was increased from 8 to 250 bridge
groups. You can configure up to 250 bridge groups in single
mode or per context in multiple mode, with 4 interfaces
maximum per bridge group.
We modified the following commands: interface bvi,
bridge-group.
Transparent mode maximum interfaces per bridge 9.6(2)
group increased to 64
The maximum interfaces per bridge group was increased from
4 to 64.
We did not modify any commands.
CLI Book 1: Cisco ASA Series General Operations CLI Configuration Guide, 9.6
20
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement