Documente Academic
Documente Profesional
Documente Cultură
Transparent
Firewall
Lesson 14
No NAT to configure
Layer 2 Device
No IP routing to troubleshoot
VLAN 200
10.0.1.0
Transparent Mode
?
VLAN 100 10.0.1.0
ciscoasa#
show firewall
Shows the current firewall mode
Transparent Mode
Routed Mode
ciscoasa(config)#
firewall transparent
Changes the mode to transparent
Requires use of the no firewall transparent command to return to routed mode
IPX Traffic
ciscoasa(config)#
access-list id ethertype {deny | permit} {ipx | bpdu |
mpls-unicast | mpls-multicast | any | hex_number}
Treatment of non-IP packets:
The transparent firewall introduces a new type of ACL: the Ethertype ACL.
With Ethertype ACLs, an administrator can allow specific non-IP packets through
the firewall.
ciscoasa(config)#
arp-inspection interface_name enable [flood | no-flood]
ARP inspection checks all ARP packets against static ARP entries and blocks
mismatched packets.
This feature prevents ARP spoofing.
The MAC address table is used to find the outgoing interface based on
the destination MAC address.
Built dynamically; contents learned from source MAC addresses
No flooding if MAC address not found
ciscoasa(config)#
mac-learn interface_name disable
Disables MAC address learning for an interface
(To re-enable MAC address learning, use the no form of this command. By
default, each interface automatically learns the MAC addresses of entering traffic, and
the security appliance adds corresponding entries to the MAC address table.)
ciscoasa#
show mac-address-table [interface_name | count | static]
Displays the MAC address table
Debug Support
debug arp-inspection: To the track code path of ARP forwarding
and ARP inspection module in transparent firewall
debug mac-address-table: To track the insertions, deletions, or
updates to the bridge table that is maintained for the transparent
firewall.
“Bastion host”: .2
Web or FTP
.100 10.0.P.0
RTS
Web or FTP,
Local: 10.0.P.11
Cisco Secure
Local: 172.16.P.11
ACS, and
Student PC Syslog