cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6410
Views
0
Helpful
4
Replies

Difference between Routed and Transperant mode on firewall

manojkumard
Level 1
Level 1

Hi,

Can any one explain about Routed and transperant mode on Cisco ASA in a simple words..

2 Accepted Solutions

Accepted Solutions

The main difference is that routed works at Layer 3 and transparent works at Layer 2. 

When the ASA is in routed mode the networks that are connected to the ASA on two interfaces need to be on different subnets.  While in transparent mode the subnets can be the same.

In routed mode, as the name indicates, packets are routed between the interfaces.  In transparent mode interfaces are bridged so the packet is forwarded instead of routed (though inspection and ACL checks still take place).

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

This really depends on the requirements of the network or design.

One situation could be that you need to implement a firewall in your network but your network design doesn't allow for changing the IP addressing scheme at this point in time.  Then you can place the ASA in transparent mode into the network and you will not need to change any IPs, just assign an IP within the LAN subnet to the ASA.

Another situation might require you to implement a firewall that is not visible to programs that scan the network.  In this case you would implement the ASA in transparent mode and it will act like a "bump in the road".  It will not be registered as a hop-count in the network, but will still be filtering traffic.

When the firewall is routed mode it will be seen as a routed hop count and is normally used as the default gateway.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

4 Replies 4

The main difference is that routed works at Layer 3 and transparent works at Layer 2. 

When the ASA is in routed mode the networks that are connected to the ASA on two interfaces need to be on different subnets.  While in transparent mode the subnets can be the same.

In routed mode, as the name indicates, packets are routed between the interfaces.  In transparent mode interfaces are bridged so the packet is forwarded instead of routed (though inspection and ACL checks still take place).

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

But, Why we require two different mode like Rotue and Transperant mode.. What is the use of it...

This really depends on the requirements of the network or design.

One situation could be that you need to implement a firewall in your network but your network design doesn't allow for changing the IP addressing scheme at this point in time.  Then you can place the ASA in transparent mode into the network and you will not need to change any IPs, just assign an IP within the LAN subnet to the ASA.

Another situation might require you to implement a firewall that is not visible to programs that scan the network.  In this case you would implement the ASA in transparent mode and it will act like a "bump in the road".  It will not be registered as a hop-count in the network, but will still be filtering traffic.

When the firewall is routed mode it will be seen as a routed hop count and is normally used as the default gateway.

--
Please remember to rate and select a correct answer

--
Please remember to select a correct answer and rate helpful posts

To use an example from the University of Wisconsin-Madison, we have about 220 departments, centers, institutes, and other administrative units on our campus.  Some are large and complicated, have their own IT staff, run their own delegated DNS, have multiple sites, and tend to run their own firewalls in routed mode.  This will typically be the case for anyone who is using a lot of vlans to segregate traffic for security or performance reasons.   Converse, some units are small, single-site, have only one subnet, and lack IT staff.  The campus offers them virtual firewall contexts on shared central equipment, and runs those in transparent mode.  In transparent mode the routers distinguish the two sides of the firewall using different vlan tags.  In routed mode, each firewall interface is on its own distinct subnet as well as vlan, and the uplink outside interface needs a distinct transit subnet of its own, usually something between a v4 /29 - /30.

The choices are not mutual exclusive - I do it both ways on different parts of my network.  Mostly of my traffic is in routed mode on my own gear, but I have one segregated sub-unit using transparent mode on the shared campus gear instead.  Even on a home network you might be doing it both ways; e.g. if you have a broadband DLS or cable modem plus your own separate wifi router, the modem will typically run in transparent mode (bridging traffic), while the wifi+ethernet device will typically run in routed mode to provide NAT44 service.  Cisco ASA gear lets you choose.

-- Jim Leinweber, WI State Lab of Hygiene

Review Cisco Networking for a $25 gift card