Unsupported Features In Transparent Mode - Cisco FirePOWER ASA 5500 series Configuration Manual
Security appliance command line
Hide thumbs
Also See for FirePOWER ASA 5500 series:
- Datasheet (20 pages) ,
- Configuration manual (1140 pages)
Table of Contents
Advertisement
Transparent Mode Overview
•
•
•
•
•
•
Unsupported Features in Transparent Mode
Table 15-1
Table 15-1
Feature
Dynamic DNS
DHCP relay
Dynamic routing protocols
IPv6
Multicast
NAT
Cisco Security Appliance Command Line Configuration Guide
15-10
The management IP address must be on the same subnet as the connected network. You cannot set
the subnet to a host subnet (255.255.255.255).
You can configure an IP address for the Management 0/0 management-only interface. This IP
address can be on a separate subnet from the main management IP address.
The transparent security appliance uses an inside interface and an outside interface only. If your
platform includes a dedicated management interface, you can also configure the management
interface or subinterface for management traffic only.
In single mode, you can only use two data interfaces (and the dedicated management interface, if
available) even if your security appliance includes more than two interfaces.
Each directly connected network must be on the same subnet.
Do not specify the security appliance management IP address as the default gateway for connected
devices; devices need to specify the router on the other side of the security appliance as the default
gateway.
For multiple context mode, each context must use different interfaces; you cannot share an interface
across contexts.
For multiple context mode, each context typically uses a different subnet. You can use overlapping
subnets, but your network topology requires router and NAT configuration to make it possible from
a routing standpoint.
You must use an extended access list to allow Layer 3 traffic, such as IP traffic, through the security
appliance.
You can also optionally use an EtherType access list to allow non-IP traffic through.
lists the features are not supported in transparent mode.
Unsupported Features in Transparent Mode
Description
—
The transparent firewall can act as a DHCP server, but it does not
support the DHCP relay commands. DHCP relay is not required
because you can allow DHCP traffic to pass through using two
extended access lists: one that allows DCHP requests from the inside
interface to the outside, and one that allows the replies from the server
in the other direction.
You can, however, add static routes for traffic originating on the
security appliance. You can also allow dynamic routing protocols
through the security appliance using an extended access list.
You also cannot allow IPv6 using an EtherType access list.
You can allow multicast traffic through the security appliance by
allowing it in an extended access list.
NAT is performed on the upstream router.
Chapter 15
Firewall Mode Overview
OL-10088-01
Advertisement
Table of Contents
Troubleshooting
