Transparent Firewalls and VPNs

When the Cisco ASA runs in transparent mode, the following limitations and restrictions apply to configuring the IPSec tunnels on it:

• The ASA can terminate the IPSec tunnels for management purposes only. That means you cannot establish an IPSec tunnel to pass traffic through the Cisco ASA.
• An IPSec tunnel is allowed only if the ASA is running in single mode. Multimode transparent firewalls and IPSec VPNs are not supported.
• WebVPN and IPSec remote-access VPNs are not supported. You can configure only one site-to-site IPSec tunnel, which needs to be set up in answer mode to respond to a tunnel request.
• The ASA does not affect the IPSec tunnels going through it. You may still set up ACLs to block unnecessary IPSec traffic passing through the ASA.
• Because routing protocols are not supported in transparent mode, reverse route injection (RRI) is also not supported.
• The IPSec tunnel uses the management IP address to terminate the connection. The IPSec tunnel could be terminated on either interfaceinside or outside.
• Load balancing, stateful failover, QoS, and NAT over the VPN tunnel are not supported in IPSec VPN implementations.
• NAT Traversal (NAT-T) and public key infrastructure (PKI) are fully supported in transparent mode for the management tunnel.