Re: [OSL | CCIE_Security] IP traffic default allowed in transparent firewall

[Nabil Omar]

That is correct :) .
You can add extra Line on that :
- ARPs are allowed through the transparent firewall in both directions without 
an access list .

Note also , That NATTING is only supported on Transparent Firewalls Starting 
from version 8 , It was not available in version 7.x.

Reference:
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/fwmode.html#wp1201980

Cheers
Nabil Omar


Date: Mon, 5 Oct 2009 15:37:48 +0530
From: kingsley.char...@gmail.com
To: ccie_security@onlinestudylist.com
Subject: Re: [OSL | CCIE_Security] IP traffic default allowed in transparent    
firewall

I did a quick investigation. 
 
Please correct me, if I am missing something.
 
 
With transparent firewall:
 

All IP traffic is allowed from higher security level interface to the lower 
level and the response is allowed back.
To allow any traffic from lower level to higher level, ACL should be configured 
to allow the traffic.
If nat-control is enabled, then NAT or static is mandatory else traffic is not 
allowed to cross the ASA.
For non-IP traffic. ethertype ACL is mandatory for both higher and lower 
security interfaces.
With regards
Kings
 

 
  
On Mon, Oct 5, 2009 at 3:18 PM, Kingsley Charles <kingsley.char...@gmail.com> 
wrote: 
 

Hi all
 
If I have the ASA configured as transparent firewall, the arp traffic is 
allowed across the firewall without the need of ACLs to be configured. But for 
any other layer 3 traffic, do we need to allow them using ACLs.

 
 
For IP to cross the ASA, do we need to confgure IP ACLs. Do I need the 
following?
 
 
access-list mine permit ip any any
 
access-group mine in interface inside 
access-group mine in interface outside
 
 
I am seeing an inconsistency in my ASA. Initially I was able to telnet across 
the ASA only with the above configured later it worked without the ACLs. 
 
 
 
With regards
Kings
                                          
_________________________________________________________________
Windows Live: Keep your friends up to date with what you do online.
http://www.microsoft.com/middleeast/windows/windowslive/see-it-in-action/social-network-basics.aspx?ocid=PID23461::T:WLMTAGL:ON:WL:en-xm:SI_SB_1:092010
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit 
www.ipexpert.com