Filter
Top Products
15-8
Cisco Security Appliance Command Line Configuration Guide
OL-12172-01
Chapter 15 Firewall Mode Overview
Transparent Mode Overview
Passing Traffic Not Allowed in Routed Mode
In routed mode, some types of traffic cannot pass through the security appliance even if you allow it in
an access list. The transparent firewall, however, can allow almost any traffic through using either an
extended access list (for IP traffic) or an EtherType access list (for non-IP traffic).
Note The transparent mode security appliance does not pass CDP packets or IPv6 packets, or any packets that
do not have a valid EtherType greater than or equal to 0x600. For example, you cannot pass IS-IS
packets. An exception is made for BPDUs, which are supported.
For example, you can establish routing protocol adjacencies through a transparent firewall; you can
allow OSPF, RIP, EIGRP, or BGP traffic through based on an extended access list. Likewise, protocols
like HSRP or VRRP can pass through the security appliance.
Non-IP traffic (for example AppleTalk, IPX, BPDUs, and MPLS) can be configured to go through using
an EtherType access list.
For features that are not directly supported on the transparent firewall, you can allow traffic to pass
through so that upstream and downstream routers can support the functionality. For example, by using
an extended access list, you can allow DHCP traffic (instead of the unsupported DHCP relay feature) or
multicast traffic such as that created by IP/TV.
MAC Address vs. Route Lookups
When the security appliance runs in transparent mode without NAT, the outgoing interface of a packet
is determined by performing a MAC address lookup instead of a route lookup. Route statements can still
be configured, but they only apply to security appliance-originated traffic. For example, if your syslog
server is located on a remote network, you must use a static route so the security appliance can reach
that subnet.
An exception to this rule is when you use voice inspections and the endpoint is at least one hop away
from the security appliance. For example, if you use the transparent firewall between a CCM and an
H.323 gateway, and there is a router between the transparent firewall and the H.323 gateway, then you
need to add a static route on the security appliance for the H.323 gateway for successful call completion.
If you use NAT, then the security appliance uses a route lookup instead of a MAC address lookup. In
some cases, you will need static routes. For example, if the real destination address is not
directly-connected to the security appliance, then you need to add a static route on the security appliance
for the real destination address that points to the downstream router.