cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
12786
Views
39
Helpful
4
Replies

Transparent Mode vs. Routed Mode on ASA boxes

Kevin Melton
Level 2
Level 2

A collegue earlier presented me with a question which I could not answer.

What is the default mode of operaton on the new ASA's; we both guessed transparent; although I see nothing in our config to validate this.

Thanks

4 Replies 4

JORGE RODRIGUEZ
Level 10
Level 10

Hi Kevin,

The most logical answer is single mode as the default config cisco ships its ASA, it is up to he end user to change that to transparent or context mode.

Transparent Mode: In this mode, the ASA will filter traffic without requiring L3 on the ASA. This means that in your config you will not put IPs on the interfaces to be used for traffic filtering. Thus, filtering is transparent to the traffic as the traffic isn't directly routed to the firewall. Think of it like you have a server plugged into a switch. In transparent mode, you place the ASA between the server and the switch and no configuration change is required to the server. In routed mode, you place the ASA in the same physical location between the server and switch, but have to change the server to use the ASA as a default gateway.

Single Mode: Default mode of an ASA. The ASA acts as a single firewall and all interfaces are provisioned to be managed through a single firewall configuration.

Multiple Context Mode: The ASA is split into multiple virtual configurations. With the ASA now virtualized, you provision the physical interfaces on the ASA to the virtual firewall configured. Each context has it's own configuration seperate from the rest of the firewall. Multi-context is meant for enterprises to invest in a single piece of hardware and scale it for use as multiple security devices.

HTH

Jorge

Jorge Rodriguez

Jorge

Your answer helped alot. Our Firewalls (ASA's rather) do have IP addresses on their respective interfaces, and some boxes do use it as their gateway. My assumption at this point and based on your thorough explanation is that we are in routed mode. I wish their was some sho or debug to validate it though..

thx

In enable mode try " show firewall " it should indicate whether it is in transparent, context or single firewall mode.

Rgds

Jorge

Jorge Rodriguez

9 year old thread, but I just found it googling for the same answer.

I just got a brand new ISA3000 (essential the same as an ASA, it runs the same code v9.x with FirePOWER). The default mode on it was "Transparent" and had a Bridged Virtual Interface.

 

I had to issue "no firewall mode transparent" to get it to Routed Mode.

That command above itself shows that the default is transparent and a "no" is required to get it out of it!

As mentioned below, a show firewall shows what mode it's in currently.

 

 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: