Configuring Transparent Firewall Rules
Transparent firewall rules are access control rules for non-IP layer 2 traffic. You can use these rules to permit or drop traffic based on the Ethertype value in the layer-2 packet. These rules create Ethertype access control lists on the device. With transparent rules, you can control the flow of non-IP traffic across the device. (To control IP traffic, use access rules; see Understanding Access Rules.)
Transparent firewalls are devices that you place within a single subnet to control traffic flow across a bridge. They allow you to insert a firewall on a subnet without renumbering your networks.
You can configure transparent rules only on the following types of interfaces:
-
IOS 12.3(7)T or later devices—On layer-3 interfaces that are part of a bridge group:
-
Configure the interfaces you want to bridge as layer 3 in the Interfaces > Interfaces policy.
-
Configure a bridge group with two or more layer 3 interfaces in the Platform > Device Admin > Bridging policy (see Bridging on Cisco IOS Routersand Defining Bridge Groups).
-
Create a bridge group virtual interface (BVI) using the same number as the bridge group (see Bridge-Group Virtual Interfaces). For example, if you create bridge group 12, create BVI12.
-
-
ASA, PIX 7.0+, FWSM devices—On any interface when the device is running in transparent mode. If you are using multiple contexts, configure the rules on the individual security contexts.
There are several other bridging policies that you can configure in the Platform > Bridging policy group including: ARP table and ARP inspection, MAC table and the ability to disable MAC learning, and the ability to configure a management IP address so that you can remotely manage the device. For more detail about transparent firewalls, see Configuring Bridging Policies on Firewall Devices and Interfaces in Routed and Transparent Modes.
Tip |
On ASA, PIX, and FWSM in transparent mode, you must configure access rules to allow any IP traffic to pass through the device. Transparent rules control layer 2 non-IP traffic only. |
Also, see NAT in Transparent Mode for information about using network address translation on security devices.
You can also configure other types of firewall rules on these interfaces. The other types of rules apply to layer-3 and higher traffic.
Tip |
If you configure any transparent rule, an implicit deny all rule is added at the end of the rule list for each interface. You must ensure that you permit all desired traffic. You might want to include a permit any (for ASA/PIX/FWSM devices) or permit 0x0000 0xFFFF (for IOS devices) rule as the final rule in the table if your desire is simply to deny specific types of traffic, rather than permitting only specific types of traffic. |
Related Topics
Procedure
Step 1 |
Do one of the following to open the Transparent Rules Page:
|
||
Step 2 |
Select the row after which you want to create the rule and click the Add Row button or right-click and select Add Row. This opens the Add and Edit Transparent Firewall Rule Dialog Boxes.
|
||
Step 3 |
Configure the rule. Following are the highlights of what you typically need to decide. For specific information on configuring the fields, see Add and Edit Transparent Firewall Rule Dialog Boxes.
If you want to create a single rule to apply to a group of EtherTypes, convert the EtherTypes to binary and calculate an appropriate mask where 1 means to interpret the EtherType literally, and 0 means that any value should be allowed in the position. You must then convert your mask into hexadecimal. Click OK when you are finished defining your rule. |
||
Step 4 |
If you did not select the right row before adding the rule, select the new rule and use the up and down arrow buttons to position the rule appropriately. For more information, see Moving Rules and the Importance of Rule Order. |
||
Step 5 |
(IOS devices only) If you are configuring transparent rules on an IOS device, you can forward DHCP traffic across the bridge without inspection. To configure this, select the Firewall > Settings > Inspection policy and select the Permit DHCP Passthrough (Transparent Firewall) option. This setting is not supported on all IOS versions, so carefully inspect validation results to see if it will be configured on your device. |