Transparent Firewall Mode

时间：2015-08-07 17:58:35 阅读：513 评论：0 收藏：0 [点我收藏+]

标签：

Part 0: overview

The Cisco ASA can operate:

routed firewall mode (default Layer 3)
Transparent mode (Layer 2)

Comparison of the Routed and Transparent Firewall Modes
Routed Firewall Mode	Transparent Firewall Mode
Use when only IP packets are to be inspected	Use when non-IP packets must be forwarded
Network readdresing is necessary across the ASA	Network readdressing is not necessary.
All interfaces can be used	Only two interfaces can be used.
All ASA features are available.	The following feature are not available: Dynamic routing protocol Dynamic DNS DHCP Relay Multicast IP routing Quailty of Service VPN termination for transit traffic

Part 1: Configuring Transparent Firewall Mode

ciscoasa#show firewall //Verifying the Current Firewall Mode

ciscoasa(config)#firewall transparent //enable transparent firewall mode

Configure ASA Transparent Mode Interface(Only inside & outside):

interface speed and duplex mode
interface name (nameif)
security level(security-level)

Example:

ciscoasa(config)#interface e0/0

ciscoasa(config-if)#nameif outside

ciscoasa(config-if)#security-level 0

ciscoasa(config-if)#no shutdown

ciscoasa(config-if)#exit

ciscoasa(config)#interface e0/1

ciscoasa(config-if)#nameif inside

ciscoasa(config-if)#security-level 100

ciscoasa(config-if)#no shutdown

ciscoasa(config)#ip address ip-address subnet-mask //configure management ip address

ciscoasa(config)#route interface network mask gateway [metric]

Part 2: Controlling Traffic in Transparent Firewall Mode

ciscoasa(config)#access-list acl_id ehtertype {permit | deny} {any | bpdu | ipx | mpls-unicast | mpls-multicast | ethertype}

the ehtertype value can be a 16-bit hex number greater than 0x600, or one of the following keywords:

any: Any non-IP packet
bpdu: Bridge protocol data units used for STP operation
ipx: Novell IPX
mpls-unicast: MPLS unicast
mpls-multicast: MPLS multicast

Well-known EtherType values are assigned and maintained by the IEEE. You can search or download the most current list of values at http://standards.ieee.org/develop/regauth/

ethertype/eth.txt.

Part 3: Using ARP Inspecition

By default: an ASA in transparent firewall Mode forwards all ARP packets.

To detect and prevent ARP spoofing, you can configure the ASA to support ARP insepction. ARP inspection uses static ARP entries as the basis for its inspection process.

ciscoasa(config)#arp interface ip_address mac_addresss(nnnn.nnnn.nnnn)

ciscoasa(config)#arp-inspection interface enable [flood | no-flood]

ciscoasa#show arp-inspection

Part 4: Disable MAC Address Learning

The malicious host might not stop with just one spoofed MAC address. It might also send so many packets with spoofed address. DoS attack

to prevent MAC address spoofing attacks, you can disable MAC address learnning completely.

ciscoasa(config)#mac-learn interface disable

ciscoasa(config)#mac-address-table static interface mac_address

ciscoasa(config)#show mac-learn

ciscoasa(config)#show mac-address-table

Transparent Firewall Mode

标签：

原文地址：http://www.cnblogs.com/elewei/p/4711230.html

踩

(0)

评论一句话评论（0）

分享档案

更多>

2021年07月29日 (22)
2021年07月28日 (40)
2021年07月27日 (32)
2021年07月26日 (79)
2021年07月23日 (29)
2021年07月22日 (30)
2021年07月21日 (42)
2021年07月20日 (16)
2021年07月19日 (90)
2021年07月16日 (35)

周排行