Cisco PIX Security Appliances Firewall modes
Today I am going to talk about the different modes of Cisco PIX firewall. By default if you talk about the mode of the firewall, a firewall is a routed hop and acts as a default gateway for hosts that connect to one of its screened subnets.
Now let's talk about the different firewall modes. There are two modes of firewalls and they are as routed mode and transparent mode.
Cisco PIX Security Appliances Routed mode
Default mode of an ASA. The ASA acts as a single firewall and all interfaces are provisioned to be managed through a single firewall configuration.
Configuration Example for Cisco PIX security appliances in routed mode
Below is the basic way to configure the Cisco PIX security appliances in the routed mode. Here in this example we took three VLANs named VLAN 100, VLAN 200 and VLAN 300. We put the different security levels here for all the VLANs as configured below.
Cisco PIX Security Appliances Transparent Mode
In this mode, the ASA will filter traffic without requiring L3 on the ASA. This means that in your config you will not put IPs on the interfaces to be used for traffic filtering. Thus, filtering is transparent to the traffic as the traffic isn't directly routed to the firewall. Think of it like you have a server plugged into a switch.
In transparent mode, you place the ASA between the server and the switch and no configuration change is required to the server. In routed mode, you place the ASA in the same physical location between the server and switch, but have to change the server to use the ASA as a default gateway.
In recent years, a growing best practice has been to deploy firewalls not only at the traditional network perimeter-where the private corporate network meets the public Internet-but also throughout the enterprise network in key internal locations, as well as at the WAN edge of branch office networks. This distributed-firewall strategy helps protect against internal threats, which have historically accounted for a large percentage of cyber losses, according to annual studies conducted by the Computer Security Institute (CSI).
Now let's talk about the different firewall modes. There are two modes of firewalls and they are as routed mode and transparent mode.
Cisco PIX Security Appliances Routed mode
Default mode of an ASA. The ASA acts as a single firewall and all interfaces are provisioned to be managed through a single firewall configuration.
 |
| Fig 1.1- Firewall Routed mode |
Below is the basic way to configure the Cisco PIX security appliances in the routed mode. Here in this example we took three VLANs named VLAN 100, VLAN 200 and VLAN 300. We put the different security levels here for all the VLANs as configured below.
ttlbits(config)# interface vlan 100
ttlbits(config-if)# nameif outside
ttlbits(config-if)# security-level 0
ttlbits(config-if)# ip address dhcp
ttlbits(config-if)# no shutdown
ttlbits(config-if)# interface vlan 200
ttlbits(config-if)# nameif business
ttlbits(config-if)# security-level 100
ttlbits(config-if)# ip address 10.1.1.1 255.255.255.0
ttlbits(config-if)# no shutdown
ttlbits(config-if)# interface vlan 300
ttlbits(config-if)# no forward interface vlan 200
ttlbits(config-if)# nameif home
ttlbits(config-if)# security-level 50
ttlbits(config-if)# ip address 10.2.1.1 255.255.255.0
ttlbits(config-if)# no shutdown
In this mode, the ASA will filter traffic without requiring L3 on the ASA. This means that in your config you will not put IPs on the interfaces to be used for traffic filtering. Thus, filtering is transparent to the traffic as the traffic isn't directly routed to the firewall. Think of it like you have a server plugged into a switch.
 |
| Fig 1.2- Firewall Transparent Mode |
Well if you say about the transparent mode, it means that it is seen as a L2 device.So the major advantage is that you can insert a transparent firewall into a network without making any IP address changes on other devices.
We have a vlan with one IP subnet. This vlan is a server vlan but now there is a requirement to firewall some of the servers from the other servers. We can use an ASA in transparent mode to do this without having to change any of the server IP addresses, so in effect we split the vlan in two and connected it back together again with the ASA.
Note: We actually use 2 VLANs with the same IP subnet because of STP but the principle is the same.
The main disadvantage is we are limited in the number of interfaces we can use. The restriction is 2 interfaces per firewall although you can use bridge groups to extend that number but you are still restricted to 8 interfaces per firewall or per context, as least it was 8 the last time i looked.
In routed mode we do not have this limitation and it easy to setup multiple DMZs on the same firewall. Routed mode is what we generally see and certainly when the firewall connects the company to the internet. Going back to the previous server vlan though, if we wanted to firewall some servers from the other server within the same IP subnet then unfortunately we can't and we would need to re-address some of the servers.
Configuration Example for Cisco PIX security appliances in transparent mode
Below is the basic example of configuring Cisco PIX security appliances in the transparent mode to configure the interfaces. All the interfaces and the IP addresses uses here are for only demo purposes and have no relevance in the enterprise or campus network.
Step 1: Configuring the security level on all the interfaces.
!
interface gigabitethernet 0/0
nameif inside1
security-level 100
bridge-group 1
no shutdown
!
interface gigabitethernet 0/1
nameif outside1
security-level 0
bridge-group 1
no shutdown
!
interface gigabitethernet 0/2
nameif dmz1
security-level 50
bridge-group 1
no shutdown
interface bvi 1
ip address 10.1.3.1 255.255.255.0 standby 10.1.3.2
!
Step 2: Configuring the management interface
!
interface management 0/0
nameif mgmt
security-level 100
ip address 10.2.1.1 255.255.255.0 standby 10.2.1.2
no shutdown
!
