Transparent Firewall

Transparent Firewall

Transparent Firewall works based on Layer 2 information. This provides the ability to deploy a PIX firewall in a secure bridging mode. It provides rich Layer 2 through 7 security services as a Layer 2 device.

Remember these points while implementing a Transparent Firewall on the PIX Firewall:

  • One inside and outside interface is supported for the transparent firewall.

  • Each directly connected network must be on the same subnet.

  • A management IP address must be configured and should be on the same subnet as the connected network.

  • This management IP address cannot be a default gateway for connected devices, so you should point to the other router's IP address as your default gateway.

  • The PIX uses this IP address as the source address for packets that originate on the outside interface.

  • You can pass non-IP traffic such as Internetwork Pack Exchange (IPX) traffic using an EtherType ACL to allow non-IP traffic through.

  • Dynamic routing protocols will run on the device and will pass through the PIX.

  • NAT is not supported. NAT is performed on the upstream router. You must use an extended ACL to allow Layer 3 traffic, such as IP traffic, through the PIX.

If you configure multiple contexts with Transparent Firewall, you must note the following points:

  • A management IP address is required for each context, even if you do not intend to use Telnet to the context.

  • For multiple context modes, each context must use different VLANs; you cannot share a virtual LAN (VLAN) across contexts.

  • For multiple context mode, each context can use the same (overlapping) subnet or different subnets under different VLANs.

  • Be sure that the upstream router performs NAT if you use overlapping subnets.

You might encounter several limitations with Transparent Firewall and VPN implementations:

  • VPN tunnels are allowed only when configured for single (Routed) context mode.

  • To-the-box IPsec traffic is supported.

  • Through-the-box IPsec data, or data carried through a tunnel destined for the secure side of the transparent firewall, is not supported.

  • Only static crypto maps are supported.

  • The IP address configured for the management access is the VPN peer address.

  • WebVPN is not supported while the device is operating in transparent mode.

  • Only L2L tunnels are supported, and only one tunnel at a time.

  • X-Auth and mode config attributes should not be used during tunnel negotiation, but are configurable.

  • VPN tunnel cannot be initiated from the firewall (answer only).

  • VPN Load Balancing and VPN Stateful Failover are not supported.

  • QoS of VPN data is not supported.

  • NAT over the tunnel is not supported.