Transparent Firewalls and VPNs

When the Cisco ASA runs in transparent mode, the following limitations and restrictions apply to configuring the IPSec tunnels on it:

  • The ASA can terminate the IPSec tunnels for management purposes only. That means you cannot establish an IPSec tunnel to pass traffic through the Cisco ASA.
  • An IPSec tunnel is allowed only if the ASA is running in single mode. Multimode transparent firewalls and IPSec VPNs are not supported.
  • WebVPN and IPSec remote-access VPNs are not supported. You can configure only one site-to-site IPSec tunnel, which needs to be set up in answer mode to respond to a tunnel request.
  • The ASA does not affect the IPSec tunnels going through it. You may still set up ACLs to block unnecessary IPSec traffic passing through the ASA.
  • Because routing protocols are not supported in transparent mode, reverse route injection (RRI) is also not supported.
  • The IPSec tunnel uses the management IP address to terminate the connection. The IPSec tunnel could be terminated on either interfaceinside or outside.
  • Load balancing, stateful failover, QoS, and NAT over the VPN tunnel are not supported in IPSec VPN implementations.
  • NAT Traversal (NAT-T) and public key infrastructure (PKI) are fully supported in transparent mode for the management tunnel.

Cisco Asa(c) All-in-one Firewall, IPS, And VPN Adaptive Security Appliance
Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance
ISBN: 1587052091
EAN: 2147483647
Year: 2006
Pages: 231
Simiral book on Amazon © 2008-2017.
If you may any questions please contact us: