Transparent Firewall Mode

Part 0: overview

The Cisco ASA can operate:

  • routed firewall mode (default Layer 3)
  • Transparent mode (Layer 2)
Comparison of the Routed and Transparent Firewall Modes
Routed Firewall Mode Transparent Firewall Mode
Use when only IP packets are to be inspected Use when non-IP packets must be forwarded
Network readdresing is necessary across the ASA Network readdressing is not necessary.
All interfaces can be used  Only two interfaces can be used.
All ASA features are available.
The following feature are not available:

  • Dynamic routing protocol
  • Dynamic DNS
  • DHCP Relay
  • Multicast IP routing
  • Quailty of Service
  • VPN termination for transit traffic

Part 1: Configuring Transparent Firewall Mode

ciscoasa#show firewall   //Verifying the Current Firewall Mode

ciscoasa(config)#firewall transparent  //enable transparent firewall mode

Configure ASA Transparent Mode Interface(Only inside & outside):

  • interface speed and duplex mode
  • interface name (nameif)
  • security level(security-level)

Example:

ciscoasa(config)#interface e0/0

ciscoasa(config-if)#nameif outside

ciscoasa(config-if)#security-level 0

ciscoasa(config-if)#no shutdown

ciscoasa(config-if)#exit

ciscoasa(config)#interface e0/1

ciscoasa(config-if)#nameif inside

ciscoasa(config-if)#security-level 100

ciscoasa(config-if)#no shutdown

ciscoasa(config)#ip address ip-address subnet-mask //configure management ip address

ciscoasa(config)#route interface network mask gateway [metric]

Part 2: Controlling Traffic in Transparent Firewall Mode

ciscoasa(config)#access-list acl_id ehtertype {permit | deny} {any | bpdu | ipx | mpls-unicast | mpls-multicast | ethertype}


the ehtertype value can be a 16-bit hex number greater than 0x600, or one of the following keywords:

  • any: Any non-IP packet
  • bpdu: Bridge protocol data units used for STP operation
  • ipx: Novell IPX
  • mpls-unicast: MPLS unicast
  • mpls-multicast: MPLS multicast

Well-known EtherType values are assigned and maintained by the IEEE. You can search or download the most current list of values at http://standards.ieee.org/develop/regauth/

ethertype/eth.txt.

Part 3: Using ARP Inspecition

By default: an ASA in transparent firewall Mode forwards all ARP packets.

To detect and prevent ARP spoofing, you can configure the ASA to support ARP insepction. ARP inspection uses static ARP entries as the basis for its inspection process.

ciscoasa(config)#arp interface ip_address mac_addresss(nnnn.nnnn.nnnn)

ciscoasa(config)#arp-inspection interface enable [flood | no-flood]

ciscoasa#show arp-inspection

Part 4: Disable MAC Address Learning

The malicious host might not stop with just one spoofed MAC address. It might also send so many packets with spoofed address. DoS attack

to prevent MAC address spoofing attacks, you can disable MAC address learnning completely.

ciscoasa(config)#mac-learn interface disable

ciscoasa(config)#mac-address-table static interface mac_address

ciscoasa(config)#show mac-learn

ciscoasa(config)#show mac-address-table

时间: 2024-11-13 08:54:58

Transparent Firewall Mode的相关文章

Cyber Security - Palo Alto Firewall V-Wires

Leveraging V-Wires Bridge two physical connections and apply security Policies without influencing any routing decision(transparent Firewall inspection) Inspect per VLAN traffic by creating V-Wire sub interfaces. Interface configuration>> STEP1: Con

Oracle Audit Vault and Database Firewall 12.2 新特性

Oracle Audit Vault and Database Firewall 12.2 新特性 Audit Vault Server的备份恢复组件被集成进AVDF产品. 当Audit Vault Agent(审计代理)重新启动或AVDF升级收,Audit Trail(审计线索)将会自动启动. AVCLI组件可以非交互式使用,通过存储在AVCLI的Wallet里存储管理员的认证信息. 可以使用Auidit Vault Agent(审计代理)的处理线程数量优化主机处理的性能. 可以配置Datab

CentOS7中firewall防火墙详解和配置

官方文档地址: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/sec-Using_Firewalls.html#sec-Introduction_to_firewalld1 cd /usr/lib/firewalld/services 目录中存放定义好的网络服务和端口参数,系统参数,不能修改. cd /etc/firewalld/services/ syst

Rendering Transparent 3D Surfaces in WPF with C#(转载)

Rendering Transparent 3D Surfaces in WPF with C# The primary problems that arise when rendering semi-transparent 3d objects in Windows Presentation Foundation have to do with false z-buffer occlusions. Specifically, when a transparent surface or poly

Cross The GFW(Great Firewall of China)

Present Situation GFWGreat Firewall of China Theory How To Present Situation As we all know, those who from Mainland China could not enjoy the freedom which brought by the real Internet. For example, we could not access the websites such as Google, F

centos7 关闭firewall安装iptables并配置

一.配置防火墙,开启80端口.3306端口 CentOS 7.0默认使用的是firewall作为防火墙,这里改为iptables防火墙. 1.关闭firewall: systemctl stop firewalld.service #停止firewall systemctl disable firewalld.service #禁止firewall开机启动 2.安装iptables防火墙 yum install iptables-services #安装 vi /etc/sysconfig/ip

Firewall 配置

在 CentOS 7暫時開放 ftp 服務# firewall-cmd --add-service=ftp 永久開放 ftp 服務# firewall-cmd --add-service=ftp --permanent 永久關閉# firewall-cmd --remove-service=ftp --permanentsuccess 讓設定生效# systemctl restart firewalld 檢視設定是否生效# iptables -L -n | grep 21ACCEPT     t

CentOS7 Firewall防火墙

# systemctl start firewalld # 启动, # systemctl enable firewalld # 开机启动 # systemctl stop firewalld # 关闭 # systemctl disable firewalld # 取消开机启动 查看特性firewall-cmd --list-all 查看firewall服务状态systemctl status firewalld firewall-cmd --state 开启端口 firewall-cmd -

【基础部分】之Firewall和iptables

Firewall和iptables firewall 和 iptables 默认只能开一个 火墙: 图形界面形式配置火墙 firewall-config 使用命令行接口配置防火墙 查看firewalld的状态: firewall-cmd --state 查看当前活动的区域,并附带一个目前分配给它们的接口列表: # firewall-cmd --get-active-zones 查看默认区域: # firewall-cmd --get-default-zone 查看所有可用区域: # firewa