
CHAPTER
12-1
Cisco Security Appliance Command Line Configuration Guide
OL-6721-01
12
Firewall Mode Overview
This chapter describes how the firewall works in each firewall mode.
The security appliance can run in two firewall modes:
• Routed mode
• Transparent mode
In routed mode, the security appliance is considered to be a router hop in the network. It can perform
NAT between connected networks, and can use OSPF or passive RIP (in single context mode). Routed
mode supports many interfaces. Each interface is on a different subnet. You can share interfaces between
contexts.
In transparent mode, the security appliance acts like a “bump in the wire,” or a “stealth firewall,” and is
not a router hop. The security appliance connects the same network on its inside and outside interfaces.
No dynamic routing protocols or NAT are used. However, like routed mode, transparent mode also
requires access lists to allow any traffic through the security appliance, except for ARP packets, which
are allowed automatically. Transparent mode can allow certain types of traffic in an access list that are
blocked by routed mode, including unsupported routing protocols. Transparent mode can also optionally
use EtherType access lists to allow non-IP traffic. Transparent mode only supports two interfaces, an
inside interface and an outside interface, in addition to a dedicated management interface, if available
for your platform.
Note The transparent firewall requires a management IP address. The security appliance uses this IP address
as the source address for packets originating on the security appliance. The management IP address must
be on the same subnet as the connected network.
This chapter includes the following sections:
• Routed Mode Overview, page 12-1
• Transparent Mode Overview, page 12-8
Routed Mode Overview
• IP Routing Support, page 12-2
• Network Address Translation, page 12-2
• How Data Moves Through the Security Appliance in Routed Firewall Mode, page 12-3
Komentáře k této Příručce