That looks correct, any non IP traffic must be explicitly enabled using ethertype acl's regardless of the direction. I just can't seem to verify the nat-control statement as I could not find any reference to the effect of that command on a transparent firewall vs routed firewall. I guess we assume it does the same thing in both modes.
From: [email protected] [mailto:[email protected]] On Behalf Of Kingsley Charles Sent: Monday, October 05, 2009 9:08 PM To: [email protected] Subject: Re: [OSL | CCIE_Security] IP traffic default allowed in transparentfirewall I did a quick investigation. Please correct me, if I am missing something. With transparent firewall: * All IP traffic is allowed from higher security level interface to the lower level and the response is allowed back. * To allow any traffic from lower level to higher level, ACL should be configured to allow the traffic. * If nat-control is enabled, then NAT or static is mandatory else traffic is not allowed to cross the ASA. * For non-IP traffic. ethertype ACL is mandatory for both higher and lower security interfaces. With regards Kings On Mon, Oct 5, 2009 at 3:18 PM, Kingsley Charles <[email protected]> wrote: Hi all If I have the ASA configured as transparent firewall, the arp traffic is allowed across the firewall without the need of ACLs to be configured. But for any other layer 3 traffic, do we need to allow them using ACLs. For IP to cross the ASA, do we need to confgure IP ACLs. Do I need the following? access-list mine permit ip any any access-group mine in interface inside access-group mine in interface outside I am seeing an inconsistency in my ASA. Initially I was able to telnet across the ASA only with the above configured later it worked without the ACLs. With regards Kings
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com
