blog
Transparent Firewall - Th ...
29 September 08

Transparent Firewall - Things That Go Bump on the Wire!

Posted byINE
facebooktwitterlinkedin
news-featured

This blog will examine the basic setup of the transparent firewall feature available with the PIX and the ASA. This blog was based on the PIX-525 running 7.2(4) code with a Restricted license in GNS3. Here is the topology that was used:

Remember, that a transparent firewall resides WITHIN a subnet and is easy to implement in an existing network where re-addressing to introduce a firewall might be difficult. This configuration is sometimes known as a "stealth" firewall or a "bump on the wire". Thanks to the fact that the firewall lives within the subnet, instead of between it, the device has the ability to filter traffic between hosts within the subnet. Note that the traditional Layer 3 firewall can only filter traffic moving between subnets. This should remind you of the difference between a VLAN Access Control List versus a Router-based Access Control List.
Well, with the introductions out of the way, let's do what we love best, let's get to the command line.
The first thing I will do is configure and verify the transparent firewall feature and then name our PIX:

pixfirewall> en

Password:

pixfirewall# conf t

pixfirewall(config)#  firewall transparent

pixfirewall(config)# show firewall

Firewall mode: Transparent

pixfirewall(config)# hostname LAYER2FIREWALL

LAYER2FIREWALL(config)#

Excellent, now that the firewall is in transparent mode, let's take care of the inside and outside interfaces. When in transparent mode, you are limited to the use of two interfaces for passing traffic. Notice how the interfaces are not configured with IP addresses.

LAYER2FIREWALL(config)# int e1

LAYER2FIREWALL(config-if)# nameif inside

INFO: Security level for "inside" set to 100 by default.

LAYER2FIREWALL(config-if)# no shut

LAYER2FIREWALL(config-if)# exit

LAYER2FIREWALL(config)# int e0

LAYER2FIREWALL(config-if)# nameif outside

INFO: Security level for "outside" set to 0 by default.

LAYER2FIREWALL(config-if)# no shut

LAYER2FIREWALL(config-if)# sh int ip brief

Interface                  IP-Address      OK? Method Status                Protocol

Ethernet0                  unassigned      YES unset  up                    up

Ethernet1                  unassigned      YES unset  up                    up

Ethernet2                  unassigned      YES unset  administratively down up

Ethernet3                  unassigned      YES unset  administratively down up

Ethernet4                  unassigned      YES unset  administratively down up

I am sure this output looks a little strange for those of you that have not played with this feature. Just as unusual is the fact that all of the interfaces facing this device are addressed in the 10.0.0.0/24 subnet.

A requirement of the transparent firewall is that it must have an IP address assigned in global configuration mode for management access.  Notice for verification we can see that our traffic forwarding interfaces are now "listening" on that IP address:

LAYER2FIREWALL(config)# ip address 10.0.0.22 255.255.255.0

LAYER2FIREWALL(config)# sh int ip brief

Interface                  IP-Address      OK? Method Status                Protocol

Ethernet0                  10.0.0.22       YES unset  up                    up 

Ethernet1                  10.0.0.22       YES unset  up                    up 

Ethernet2                  unassigned      YES unset  administratively down up 

Ethernet3                  unassigned      YES unset  administratively down up 

Ethernet4                  unassigned      YES unset  administratively down up

Let us now test the "out of the box" functionality of the security device. I will initiate a Telnet session from the Inside interface to a device located on the Outside interface. This communication should be permitted due to the Adaptive Security Algorithm and the default security levels on our interfaces. Notice how we can easily verify the connection of the appliance.

R1#telnet 10.0.0.10

Trying 10.0.0.10 ... Open

User Access Verification

Password:

R0>

LAYER2FIREWALL(config)# show conn

1 in use, 1 most used

TCP outside 10.0.0.10:23 inside 10.0.0.1:25501, idle 0:00:03, bytes 102, flags UIO

Let's now permit Telnet connections from our management workstation (played by R2) and ensure we have connectivity to the PIX.

LAYER2FIREWALL(config)# telnet 10.0.0.20 255.255.255.255 Inside
R2#telnet 10.0.0.22

Trying 10.0.0.22 ... Open

User Access Verification

Password:

Type help or '?' for a list of available commands.

LAYER2FIREWALL>

Well, I am sure I will blog more on this Layer 2 firewall at a later point, but I sure do thank you for stopping by to read this initial post.

Need training for your entire team?

Schedule a Demo

Hey! Don’t miss anything - subscribe to our newsletter!

© 2022 INE. All Rights Reserved. All logos, trademarks and registered trademarks are the property of their respective owners.
Terms of servicePrivacy policy
instagram Logofacebook Logotwitter Logolinkedin Logoyoutube Logo