Transparent Firewall mode with a Cisco ASA is a handy capability based on your situation. If you run protocols other than IP on your network and want an ASA in the path a Transaparent Mode is what you’re looking for. This is because in routed mode, some types of traffic cannot be passed, even if you permit it in an IP ACL. To allow the non-IP traffic through the ASA you’ll need to configure an EtherType ACL. EtherType ACLs are essentially layer 2 ACLs. For this example we will use the following topology to configure an EtherType ACL to allow IPX traffic across the firewall.
Configuring EtherType ACL’s on the ASA
To get starting configuring EtherType ACLs on the ASA let’s start by creating the EtherType ACL:
access-list ETHER_INSIDE ethertype permit ipx ! access-list ETHER_OUTSIDE ethertype permit ipx
Once you have the EtherType ACL configured you need to apply it to the interface:
access-group ETHER_INSIDE in interface inside ! access-group ETHER_OUTSIDE in interface outside
At this point IPX is allowed in both directions. I should also note that in transparent mode, the ASA does not pass CDP packets packets, or any packets that don’t have a valid EtherType greater than or equal to 0x600. And if you want to allow a protocol through the ASA using the EtherType code, you can find them in the Wireless Access Point Configuration Guide or in this IOS configuration guide (PDF). Also, an exception is made for BPDUs, which are supported.
Already a member? Log in to access the bonus content.
[s3bubbleAudioSingle bucket=”audio.globalconfig.net” track=”Transparent+Firewall+EtherType+ACLs.mp3″ autoplay=”false”]