Support User Manuals

Cisco Systems OL-12172-01 Water Heater User Manual

Open as PDF

of 16

15-10

Cisco Security Appliance Command Line Configuration Guide

OL-12172-01

Chapter 15 Firewall Mode Overview

Transparent Mode Overview

In single mode, you can only use two data interfaces (and the dedicated management interface, if

available) even if your security appliance includes more than two interfaces.

• Each directly connected network must be on the same subnet.

• Do not specify the security appliance management IP address as the default gateway for connected

devices; devices need to specify the router on the other side of the security appliance as the default

gateway.

• For multiple context mode, each context must use different interfaces; you cannot share an interface

across contexts.

• For multiple context mode, each context typically uses a different subnet. You can use overlapping

subnets, but your network topology requires router and NAT configuration to make it possible from

a routing standpoint.

Unsupported Features in Transparent Mode

Table 15-1 lists the features are not supported in transparent mode.

Table 15-1 Unsupported Features in Transparent Mode

Feature Description

Dynamic DNS —

DHCP relay The transparent firewall can act as a DHCP server, but it does not

support the DHCP relay commands. DHCP relay is not required

because you can allow DHCP traffic to pass through using two

extended access lists: one that allows DCHP requests from the inside

interface to the outside, and one that allows the replies from the server

in the other direction.

Dynamic routing protocols You can, however, add static routes for traffic originating on the

security appliance. You can also allow dynamic routing protocols

through the security appliance using an extended access list.

IPv6 You also cannot allow IPv6 using an EtherType access list.

Multicast You can allow multicast traffic through the security appliance by

allowing it in an extended access list.

QoS —

VPN termination for through

traffic

The transparent firewall supports site-to-site VPN tunnels for

management connections only. It does not terminate VPN connections

for traffic through the security appliance. You can pass VPN traffic

through the security appliance using an extended access list, but it

does not terminate non-management connections. WebVPN is also not

supported.

previous next