Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
6411
Views
0
Helpful
4
Replies

Difference between Routed and Transperant mode on firewall

Go to solution
manojkumard
Level 1
Level 1

‎02-19-2014 11:32 PM - edited ‎03-11-2019 08:47 PM

Hi,

Can any one explain about Routed and transperant mode on Cisco ASA in a simple words..

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP

‎02-20-2014 12:19 AM

The main difference is that routed works at Layer 3 and transparent works at Layer 2. 

When the ASA is in routed mode the networks that are connected to the ASA on two interfaces need to be on different subnets.  While in transparent mode the subnets can be the same.

In routed mode, as the name indicates, packets are routed between the interfaces.  In transparent mode interfaces are bridged so the packet is forwarded instead of routed (though inspection and ACL checks still take place).

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to manojkumard

‎02-20-2014 08:58 AM

This really depends on the requirements of the network or design.

One situation could be that you need to implement a firewall in your network but your network design doesn't allow for changing the IP addressing scheme at this point in time.  Then you can place the ASA in transparent mode into the network and you will not need to change any IPs, just assign an IP within the LAN subnet to the ASA.

Another situation might require you to implement a firewall that is not visible to programs that scan the network.  In this case you would implement the ASA in transparent mode and it will act like a "bump in the road".  It will not be registered as a hop-count in the network, but will still be filtering traffic.

When the firewall is routed mode it will be seen as a routed hop count and is normally used as the default gateway.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Marius Gunnerud
VIP
VIP

‎02-20-2014 12:19 AM

The main difference is that routed works at Layer 3 and transparent works at Layer 2. 

When the ASA is in routed mode the networks that are connected to the ASA on two interfaces need to be on different subnets.  While in transparent mode the subnets can be the same.

In routed mode, as the name indicates, packets are routed between the interfaces.  In transparent mode interfaces are bridged so the packet is forwarded instead of routed (though inspection and ACL checks still take place).

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
manojkumard
Level 1
Level 1
In response to Marius Gunnerud

‎02-20-2014 07:51 AM

But, Why we require two different mode like Rotue and Transperant mode.. What is the use of it...

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to manojkumard

‎02-20-2014 08:58 AM

This really depends on the requirements of the network or design.

One situation could be that you need to implement a firewall in your network but your network design doesn't allow for changing the IP addressing scheme at this point in time.  Then you can place the ASA in transparent mode into the network and you will not need to change any IPs, just assign an IP within the LAN subnet to the ASA.

Another situation might require you to implement a firewall that is not visible to programs that scan the network.  In this case you would implement the ASA in transparent mode and it will act like a "bump in the road".  It will not be registered as a hop-count in the network, but will still be filtering traffic.

When the firewall is routed mode it will be seen as a routed hop count and is normally used as the default gateway.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
James Leinweber
Level 4
Level 4
In response to Marius Gunnerud

‎02-20-2014 01:29 PM

To use an example from the University of Wisconsin-Madison, we have about 220 departments, centers, institutes, and other administrative units on our campus.  Some are large and complicated, have their own IT staff, run their own delegated DNS, have multiple sites, and tend to run their own firewalls in routed mode.  This will typically be the case for anyone who is using a lot of vlans to segregate traffic for security or performance reasons.   Converse, some units are small, single-site, have only one subnet, and lack IT staff.  The campus offers them virtual firewall contexts on shared central equipment, and runs those in transparent mode.  In transparent mode the routers distinguish the two sides of the firewall using different vlan tags.  In routed mode, each firewall interface is on its own distinct subnet as well as vlan, and the uplink outside interface needs a distinct transit subnet of its own, usually something between a v4 /29 - /30.

The choices are not mutual exclusive - I do it both ways on different parts of my network.  Mostly of my traffic is in routed mode on my own gear, but I have one segregated sub-unit using transparent mode on the shared campus gear instead.  Even on a home network you might be doing it both ways; e.g. if you have a broadband DLS or cable modem plus your own separate wifi router, the modem will typically run in transparent mode (bridging traffic), while the wifi+ethernet device will typically run in routed mode to provide NAT44 service.  Cisco ASA gear lets you choose.

-- Jim Leinweber, WI State Lab of Hygiene

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card