Section 11-1. IOS Transparent Firewall | CCNP BCMSN Exam Certification Guide (3rd Edition)

11-1. IOS Transparent Firewall

Usually, an IOS firewall operates in routed firewall mode, in which each interface has an IP address and packets are handled as if the firewall is a Layer 3 device. After all, an IOS firewall has a router at its core.

Having a router already positioned in a network facilitates a straightforward configuration of the firewall functions without disrupting or segmenting the existing IP addressing structure. Each router interface just receives firewall inspection configuration on top of the normal routing functions.

You can also configure an IOS firewall as a transparent firewall, operating as a Layer 2 device. Doing so can be useful in some environments, because the firewall can be introduced into an existing network without changing the IP addressing. The transparent firewall acts as a Layer 2 transparent bridge, in which each interface inspects and passes traffic without appearing to be a Layer 3 gateway.

A transparent firewall forwards traffic based on the Layer 2 MAC addresses. In fact, a transparent IOS firewall uses transparent bridging to maintain a MAC address table used to locate hosts. Stateful traffic inspection still occurs at Layer 3 and higher.

Figure 11-1 illustrates the transparent IOS firewall operation 1. Host A sends a packet to Host B. Notice that Hosts A and B are located on the same IP subnet. Their local-ip and foreign-ip addresses only designate that "local" is on the inside of the firewall and "foreign" is on the outside.

Figure 11-1. Transparent IOS Firewall Operation

Transparent IOS firewall operation is configured as two separate mechanisms:

Transparent bridging with bridge groups
Stateful inspection with Context-Based Access Control (CBAC)

Cisco IOS software releases that support the transparent firewall feature automatically "join" these two functions and allow CBAC inspection to occur within the bridge group interfaces.

NOTE

The transparent IOS firewall feature is available in select Cisco IOS software releases, beginning with 12.3(7)T. Currently, only the following router platforms are supported: Cisco 806, 831, 836, 837, 1701, 1710, 1711, 1712, 1721, 1751, 1760, 1841, 2811, 2821, 2851, 3825, and 3845.

If you intend to use the transparent IOS firewall feature, be sure to confirm that your router and IOS release support it.

Be aware that the commands needed to configure a transparent firewall are also supported individually in many router platforms and releases. When you configure the bridge-group, ip inspect, and access-list commands, they all might be accepted, even if transparent firewall isn't supported on that platform.

In that case, traffic is bridged without passing through any inspection! Even the access list applied on a bridged interface is not consulted. In other words, you might find yourself configuring a transparent firewall, only to find that it isn't a firewall after all.

You should verify that the transparent firewall feature is supported on your router platform before configuring it. To do this, use the Cisco Feature Navigator or enter this command on your router:

 IOSFirewall# debug ip inspect ?

Then look for the L2-transparent keyword. If it is in the list, the transparent firewall feature is supported; otherwise, don't attempt to configure the router as a transparent firewall.

Configuring a Transparent IOS Firewall

A transparent IOS firewall is configured in two stages:

Configure transparent bridging on specific router interfaces.
Configure and apply the CBAC inspection and the appropriate access lists to the firewall interfaces.

This section covers transparent bridging configuration, and section 11-3, "Configuring IOS Firewall Stateful Inspection," covers CBAC inspection. Address translation is not used in transparent firewall operation.

TIP

An IOS firewall can operate in routed and transparent firewall modes simultaneously. This is because a router can both route and bridge traffic across the appropriately configured interfaces.

The interfaces involved in transparent mode should be configured to participate in a bridge group, and interfaces involved in routed mode should be given IP addresses and not be bridged.

Follow these steps to configure a transparent IOS firewall:

1.	Define a bridge group for Layer 2 connectivity. a. Enable a bridge group: IOSFirewall(config)# bridge bridge-group protocol {dec \| ibm \| ieee \| vlan-bridge} The bridge group numbered bridge-group (1 to 255) functions as an independent transparent bridge connecting any interfaces that are applied to it. You can specify the Spanning Tree Protocol (STP) that will be used to maintain a loop-free topology. Because the transparent firewall operates as a transparent bridge, it must coexist with any other bridging that is used on its interfaces. You can choose one of these STP algorithms: dec (Digital Equipment Corporation), ibm (IBM, mostly used in Token Ring environments), ieee (IEEE 802.1d "traditional" STP), or vlan-bridge. b. (Optional) Use integrated routing and bridging: IOSFirewall(config)# bridge irb If the router will be doing both routing and bridging on various interfaces, you should use this command. You can specify which protocols are routed, and the rest are bridged. c. (Optional) Route IP to/from the bridge group: IOSFirewall(config)# bridge bridge-group route ip By default, all protocols are bridged across interfaces that are assigned to a bridge group. You can route IP traffic between the bridge group and other firewall interfaces, if necessary. For example, two or more interfaces might be transparently bridged, while another interface serves as a Layer 3 management interface for the firewall. Even IP traffic will be bridged across the firewall interfaces, unless it is destined for or from a different routed interface.
2.	Assign interfaces to the bridge group: IOSFirewall(config)# interface type mod/num IOSFirewall(config-if)# bridge-group bridge-group Interfaces participating in a transparent firewall must be assigned to the same bridge-group (1 to 255).
3.	Define a bridged virtual interface (BVI) for management traffic a. Create a BVI: IOSFirewall(config)# interface bvi number The BVI is associated with a bridge group. It allows all traffic to be bridged except for specific protocols that can be routed. The interface number is an arbitrary number used to distinguish this BVI from others. b. Assign an IP address to the BVI: IOSFirewall(config-if)# ip address ip-address mask c. Enable the BVI: IOSFirewall(config-if)# no shutdown
4.	Configure stateful inspection and apply it to the interfaces. You should configure CBAC and the appropriate access lists, as described in section 11-3. As soon as transparent bridging is configured and enabled, the router joins that function with CBAC to form a seamless transparent firewall. For example, consider a router with two interfaces that is to be configured as a transparent firewall. Interfaces FastEthernet0/0 and 0/1 (the inside and outside firewall interfaces) are part of the same bridge group so that the two connected networks can appear on the same IP subnet. The IOS firewall has a management IP address of 192.168.16.1. You could use the following commands to configure the transparent bridging portion of the transparent firewall feature: IOSFirewall(config)# bridge-group 1 protocol ieee IOSFirewall(config)# bridge irb IOSFirewall(config)# bridge 1 route ip IOSFirewall(config)# interface fastethernet 0/0 IOSFirewall(config-if)# bridge-group 1 IOSFirewall(config-if)# interface fastethernet 0/1 IOSFirewall(config-if)# bridge-group 1 IOSFirewall(config-if)# interface bvi 1 IOSFirewall(config-if)# ip address 192.168.16.1 255.255.255.0 IOSFirewall(config-if)# no shutdown IP access lists used for traffic inspection and filtering are configured and applied to one or more interfaces in the bridge group. As well, the ip inspect command is configured on one or more interfaces in the bridge group to enable CBAC inspection, as covered in section 11-3.