Guidelines and limitations – Cisco ASA 5505 User Manual

Page 315

Advertising
background image

9-5

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 9 Completing Interface Configuration (Transparent Mode)

Guidelines and Limitations

Guidelines and Limitations

This section includes the guidelines and limitations for this feature.

Context Mode Guidelines

For the ASA 5510 and higher in multiple context mode, configure the physical interfaces in the
system execution space according to

Chapter 6, “Starting Interface Configuration

(ASA 5510 and Higher).”

Then, configure the logical interface parameters in the context execution

space according to this chapter.

The ASA 5505 does not support multiple context mode.

You can only configure context interfaces that you already assigned to the context in the system
configuration using the allocate-interface command.

Firewall Mode Guidelines

You can configure up to 8 bridge groups in single mode or per context in multiple mode. Note that
you must use at least 1 bridge group; data interfaces must belong to a bridge group.

Note

Although you can configure multiple bridge groups on the ASA 5505, the restriction of 2
data interfaces in transparent mode on the ASA 5505 means you can only effectively use 1
bridge group.

Each bridge group can include up to 4 interfaces.

For IPv4, a management IP address is required for each bridge group for both management traffic
and for traffic to pass through the ASA.

Unlike routed mode, which requires an IP address for each interface, a transparent firewall has an
IP address assigned to the entire bridge group. The ASA uses this IP address as the source address
for packets originating on the ASA, such as system messages or AAA communications. In addition
to the bridge group management address, you can optionally configure a management interface for
some models; see the

“Management Interface” section on page 6-2

for more information.

The management IP address must be on the same subnet as the connected network. You cannot set
the subnet to a host subnet (255.255.255.255). The ASA does not support traffic on secondary
networks; only traffic on the same network as the management IP address is supported. See the

“Configuring Bridge Groups” section on page 9-7

for more information about management IP

subnets.

For IPv6, at a minimum you need to configure link-local addresses for each interface for through
traffic. For full functionality, including the ability to manage the ASA, you need to configure a
global IPv6 address for each bridge group.

For multiple context mode, each context must use different interfaces; you cannot share an interface
across contexts.

For multiple context mode, each context typically uses a different subnet. You can use overlapping
subnets, but your network topology requires router and NAT configuration to make it possible from
a routing standpoint.

Advertising
This manual is related to the following products:

ASA 5585-X, ASA 5555-X, ASA 5545-X, ASA 5525-X, ASA 5515-X, ASA 5512-X, ASA 5580, ASA 5550, ASA 5540, ASA 5520, ASA 5510, ASA 5500 Series

Popular Brands
Popular manuals