CCNP BCMSN Exam Certification Guide (3rd Edition)
|
11-1. IOS Transparent Firewall
Usually, an IOS firewall operates in routed firewall mode, in which each interface has an IP address and packets are handled as if the firewall is a Layer 3 device. After all, an IOS firewall has a router at its core. Having a router already positioned in a network facilitates a straightforward configuration of the firewall functions without disrupting or segmenting the existing IP addressing structure. Each router interface just receives firewall inspection configuration on top of the normal routing functions. You can also configure an IOS firewall as a transparent firewall, operating as a Layer 2 device. Doing so can be useful in some environments, because the firewall can be introduced into an existing network without changing the IP addressing. The transparent firewall acts as a Layer 2 transparent bridge, in which each interface inspects and passes traffic without appearing to be a Layer 3 gateway. A transparent firewall forwards traffic based on the Layer 2 MAC addresses. In fact, a transparent IOS firewall uses transparent bridging to maintain a MAC address table used to locate hosts. Stateful traffic inspection still occurs at Layer 3 and higher. Figure 11-1 illustrates the transparent IOS firewall operation 1. Host A sends a packet to Host B. Notice that Hosts A and B are located on the same IP subnet. Their local-ip and foreign-ip addresses only designate that "local" is on the inside of the firewall and "foreign" is on the outside. Figure 11-1. Transparent IOS Firewall Operation
Transparent IOS firewall operation is configured as two separate mechanisms:
Cisco IOS software releases that support the transparent firewall feature automatically "join" these two functions and allow CBAC inspection to occur within the bridge group interfaces. NOTE The transparent IOS firewall feature is available in select Cisco IOS software releases, beginning with 12.3(7)T. Currently, only the following router platforms are supported: Cisco 806, 831, 836, 837, 1701, 1710, 1711, 1712, 1721, 1751, 1760, 1841, 2811, 2821, 2851, 3825, and 3845. If you intend to use the transparent IOS firewall feature, be sure to confirm that your router and IOS release support it. Be aware that the commands needed to configure a transparent firewall are also supported individually in many router platforms and releases. When you configure the bridge-group, ip inspect, and access-list commands, they all might be accepted, even if transparent firewall isn't supported on that platform. In that case, traffic is bridged without passing through any inspection! Even the access list applied on a bridged interface is not consulted. In other words, you might find yourself configuring a transparent firewall, only to find that it isn't a firewall after all. You should verify that the transparent firewall feature is supported on your router platform before configuring it. To do this, use the Cisco Feature Navigator or enter this command on your router: IOSFirewall# debug ip inspect ?
Then look for the L2-transparent keyword. If it is in the list, the transparent firewall feature is supported; otherwise, don't attempt to configure the router as a transparent firewall.
Configuring a Transparent IOS Firewall
A transparent IOS firewall is configured in two stages:
This section covers transparent bridging configuration, and section 11-3, "Configuring IOS Firewall Stateful Inspection," covers CBAC inspection. Address translation is not used in transparent firewall operation. TIP An IOS firewall can operate in routed and transparent firewall modes simultaneously. This is because a router can both route and bridge traffic across the appropriately configured interfaces. The interfaces involved in transparent mode should be configured to participate in a bridge group, and interfaces involved in routed mode should be given IP addresses and not be bridged.
Follow these steps to configure a transparent IOS firewall:
|
|