Setting the firewall mode, Table 4-1 – Cisco ASA 5505 User Manual

Page 180

Advertising
background image

4-8

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 4 Configuring the Transparent or Routed Firewall

Configuring the Firewall Mode

Setting the Firewall Mode

This section describes how to change the firewall mode.

Note

We recommend that you set the firewall mode before you perform any other configuration because
changing the firewall mode clears the running configuration.

Prerequisites

When you change modes, the ASA clears the running configuration (see the

“Guidelines and

Limitations” section on page 4-6

for more information).

If you already have a populated configuration, be sure to back up your configuration before changing
the mode; you can use this backup for reference when creating your new configuration. See the

“Backing Up Configuration Files or Other Files” section on page 81-8

.

Use the CLI at the console port to change the mode. If you use any other type of session, including
the ASDM Command Line Interface tool or SSH, you will be disconnected when the configuration
is cleared, and you will have to reconnect to the ASA using the console port in any case.

For the ASA 5500 series appiances, set the mode for the whole system in the system execution
space.

Table 4-1

Unsupported Features in Transparent Mode

Feature

Description

Dynamic DNS

DHCP relay

The transparent firewall can act as a DHCP server, but it does not
support the DHCP relay commands. DHCP relay is not required
because you can allow DHCP traffic to pass through using two
extended access lists: one that allows DCHP requests from the inside
interface to the outside, and one that allows the replies from the server
in the other direction.

Dynamic routing protocols

You can, however, add static routes for traffic originating on the ASA.
You can also allow dynamic routing protocols through the ASA using
an extended access list.

Multicast IP routing

You can allow multicast traffic through the ASA by allowing it in an
extended access list.

QoS

VPN termination for through
traffic

The transparent firewall supports site-to-site VPN tunnels for
management connections only. It does not terminate VPN connections
for traffic through the ASA. You can pass VPN traffic through the
ASA using an extended access list, but it does not terminate
non-management connections. SSL VPN is also not supported.

Advertising