When the Cisco ASA runs in transparent mode, the following limitations and restrictions apply to configuring the IPSec tunnels on it:
- The ASA can terminate the IPSec tunnels for management purposes only. That means you cannot establish an IPSec tunnel to pass traffic through the Cisco ASA.
- An IPSec tunnel is allowed only if the ASA is running in single mode. Multimode transparent firewalls and IPSec VPNs are not supported.
- WebVPN and IPSec remote-access VPNs are not supported. You can configure only one site-to-site IPSec tunnel, which needs to be set up in answer mode to respond to a tunnel request.
- The ASA does not affect the IPSec tunnels going through it. You may still set up ACLs to block unnecessary IPSec traffic passing through the ASA.
- Because routing protocols are not supported in transparent mode, reverse route injection (RRI) is also not supported.
- The IPSec tunnel uses the management IP address to terminate the connection. The IPSec tunnel could be terminated on either interfaceinside or outside.
- Load balancing, stateful failover, QoS, and NAT over the VPN tunnel are not supported in IPSec VPN implementations.
- NAT Traversal (NAT-T) and public key infrastructure (PKI) are fully supported in transparent mode for the management tunnel.