码迷,mamicode.com
首页 > 其他好文 > 详细

Transparent Firewall Mode

时间:2015-08-07 17:58:35      阅读:513      评论:0      收藏:0      [点我收藏+]

标签:

Part 0: overview

The Cisco ASA can operate:

  • routed firewall mode (default Layer 3) 
  • Transparent mode (Layer 2)

 

Comparison of the Routed and Transparent Firewall Modes
Routed Firewall Mode Transparent Firewall Mode
Use when only IP packets are to be inspected Use when non-IP packets must be forwarded
Network readdresing is necessary across the ASA Network readdressing is not necessary.
All interfaces can be used  Only two interfaces can be used.
All ASA features are available.

The following feature are not available:

  • Dynamic routing protocol
  • Dynamic DNS
  • DHCP Relay
  • Multicast IP routing
  • Quailty of Service
  • VPN termination for transit traffic

 

Part 1: Configuring Transparent Firewall Mode

ciscoasa#show firewall   //Verifying the Current Firewall Mode

ciscoasa(config)#firewall transparent  //enable transparent firewall mode

 

Configure ASA Transparent Mode Interface(Only inside & outside):

  • interface speed and duplex mode
  • interface name (nameif)
  • security level(security-level)

 

Example:

ciscoasa(config)#interface e0/0

ciscoasa(config-if)#nameif outside

ciscoasa(config-if)#security-level 0

ciscoasa(config-if)#no shutdown

ciscoasa(config-if)#exit

ciscoasa(config)#interface e0/1

ciscoasa(config-if)#nameif inside

ciscoasa(config-if)#security-level 100

ciscoasa(config-if)#no shutdown

 

ciscoasa(config)#ip address ip-address subnet-mask //configure management ip address

 

ciscoasa(config)#route interface network mask gateway [metric]

 

Part 2: Controlling Traffic in Transparent Firewall Mode

 

ciscoasa(config)#access-list acl_id ehtertype {permit | deny} {any | bpdu | ipx | mpls-unicast | mpls-multicast | ethertype}

 


the ehtertype value can be a 16-bit hex number greater than 0x600, or one of the following keywords:

  • any: Any non-IP packet
  • bpdu: Bridge protocol data units used for STP operation
  • ipx: Novell IPX
  • mpls-unicast: MPLS unicast
  • mpls-multicast: MPLS multicast

Well-known EtherType values are assigned and maintained by the IEEE. You can search or download the most current list of values at http://standards.ieee.org/develop/regauth/

ethertype/eth.txt.

 

Part 3: Using ARP Inspecition

By default: an ASA in transparent firewall Mode forwards all ARP packets.

To detect and prevent ARP spoofing, you can configure the ASA to support ARP insepction. ARP inspection uses static ARP entries as the basis for its inspection process.

 

 

ciscoasa(config)#arp interface ip_address mac_addresss(nnnn.nnnn.nnnn)

ciscoasa(config)#arp-inspection interface enable [flood | no-flood]

ciscoasa#show arp-inspection

 

Part 4: Disable MAC Address Learning

The malicious host might not stop with just one spoofed MAC address. It might also send so many packets with spoofed address. DoS attack

to prevent MAC address spoofing attacks, you can disable MAC address learnning completely.

ciscoasa(config)#mac-learn interface disable

ciscoasa(config)#mac-address-table static interface mac_address

ciscoasa(config)#show mac-learn

ciscoasa(config)#show mac-address-table

 

Transparent Firewall Mode

标签:

原文地址:http://www.cnblogs.com/elewei/p/4711230.html

(0)
(0)
   
举报
评论 一句话评论(0
登录后才能评论!
© 2014 mamicode.com 版权所有  联系我们:gaon5@hotmail.com
迷上了代码!